Rhino9: WinGate Vulnerability

Aleph One (aleph1@DFW.NET)
Sun, 29 Mar 1998 02:15:20 -0600

http://207.98.195.250/advisories/06.htm

WinGate version 2.1 Exploitable

Vulnerability tested on Wingate version 2.1

SYSTEMS AFFECTED
WinOS running Wingate 2.1

PROBLEM
The problem is in the WinGate LogFile service being accessable to
anyone by default and poor programming on the part of
Deerfield Communications Company.

IMPACT
If the LogFile service is not reconfigured after install then any
remote user can access the WinGate servers harddrive having readaccess
to any file on the same drive as the WinGate installation.

EXPLOIT
WinGate servers that are running the LogFile Service, listen for
connections on TCP Port 8010. By opening a HTTP session to this port
you will either get a "connection cannot be established" or a listing
of directories on the remote drive wingate was installed upon.

SOLUTION
Under your WinGate "GateKeeper" make sure your LogFile Service
Bindings do not allow connections coming in on any interface.
Basically as with any WinGate situation, deny access from all IP's
except for the
trusted IPs on your internal network or possbile remote IPs that you
might use to check your system from a remote location.

NOTE
This is the second time that Rhino9 has released an advisory about
WinGate. WinGate was recently recoded to stop the "WinGate bounce
exploit" and will need to be recoded or patched for this current
advisory. We are not knocking WinGate... it is a good product just
needs some work. WinGate can be almost unbreakable if you configure it
right by only allowing trusted IPs etc...

The contents of this advisory are Copyright (c) 1998 the Rhino9
security research team, this document may be distributed freely, as
long as proper credit is given.