Bugtraq mailing list archives

Rhino9: WinGate Vulnerability

From: aleph1 () DFW NET (Aleph One)
Date: Sun, 29 Mar 1998 02:15:20 -0600


http://207.98.195.250/advisories/06.htm

   WinGate version 2.1 Exploitable

   Vulnerability tested on Wingate version 2.1

   SYSTEMS AFFECTED
   WinOS running Wingate 2.1

   PROBLEM
   The problem is in the WinGate LogFile service being accessable to
   anyone by default and poor programming on the part of
   Deerfield Communications Company.

   IMPACT
   If the LogFile service is not reconfigured after install then any
   remote user can access the WinGate servers harddrive having readaccess
   to any file on the same drive as the WinGate installation.

   EXPLOIT
   WinGate servers that are running the LogFile Service, listen for
   connections on TCP Port 8010. By opening a HTTP session to this port
   you will either get a "connection cannot be established" or a listing
   of directories on the remote drive wingate was installed upon.

   SOLUTION
   Under your WinGate "GateKeeper" make sure your LogFile Service
   Bindings do not allow connections coming in on any interface.
   Basically as with any WinGate situation, deny access from all IP's
   except for the
   trusted IPs on your internal network or possbile remote IPs that you
   might use to check your system from a remote location.

   NOTE
   This is the second time that Rhino9 has released an advisory about
   WinGate. WinGate was recently recoded to stop the "WinGate bounce
   exploit" and will need to be recoded or patched for this current
   advisory. We are not knocking WinGate... it is a good product just
   needs some work. WinGate can be almost unbreakable if you configure it
   right by only allowing trusted IPs etc...

   The contents of this advisory are Copyright (c) 1998 the Rhino9
   security research team, this document may be distributed freely, as
   long as proper credit is given.

Current thread:

Clarification, (continued)
- Clarification Mike Gleason (Mar 24)
- Protocol Aleph One (Mar 24)
- SECURITY: new svgalib and kbd now available Erik Troan (Mar 25)
- Sumbit Internet Account v1.1 Dax Kelson (Mar 25)
  - Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
    - FW: mysql: Trivial mSQL/MySQL DoS method? (fwd) Michael Widenius (Mar 26)
    - Re: Majordomo /tmp exploit Steven Pritchard (Mar 26)
    - easy DoS in most RPC apps Peter van Dijk (Mar 28)
    - Netscape passes mailbox path and message ID as refferer Rop Gonggrijp (Mar 28)
    - Hole. HKirk (Mar 28)
    - Rhino9: WinGate Vulnerability Aleph One (Mar 29)
    - MySQL Security Sandu Mihai (Mar 29)
    - Re: MySQL Security Aleph One (Mar 29)
    - Eudora Pro 4.0 attachment/long filename problem whiz (Mar 29)
    - mysql: MySQL Security Michael Widenius (Mar 29)
    - wtmpx utility for solaris Ryan (Mar 30)
    - Re: wtmpx utility for solaris Mikael Brandstrom (Mar 31)
    - HPSBUX9803-077 Security Vulnerability with inetd on HP-UX Aleph One (Mar 30)
  - pset Buffer Overrun Vulnerability SGI Security Coordinator (Mar 26)
  - Netscape Navigator Security Vulnerabilities SGI Security Coordinator (Mar 26)
- IMAP/POP Vulnerability SGI Security Coordinator (Mar 25)

(Thread continues...)