Another WinGate hole -- this time with the LogFile service

Summary
Description:The WinGate Logfile service basically puts up a web server on port 8010 giving full read access to the victim's hard drive(!)
Author:HKirk <hkirk@tech-point.com>
Compromise:Remote read access to a Wingate user's hard drive
Vulnerable Systems:Windows users who run Wingate. This program is a huge security hole, a much better (cheaper, more secure, more robust, better performing) solution is to install a Linux gateway with IP masquerading.
Date:29 March 1998
Details


Date: Sun, 29 Mar 1998 00:29:08 -0500
From: HKirk <hkirk@tech-point.com>
To: BUGTRAQ@NETSPACE.ORG
Subject: Hole.

Exploitable flaw in the New Version of WinGate... The Deerfield company
released this new version to fix previous flaws found by our team...
Keep tryin guys.. and we will keep you on your toes.

http://207.98.195.250/advisories/

NeonSurge
The Rhino9 Team
http://207.98.195.250/
     [Links]      [Image][Image]
                  [Image]
[About]                  WinGate version 2.1 Exploitable
[Updates]
[Contact]                Vulnerability tested on Wingate version 2.1
[Advisories]
[Texts]                  SYSTEMS AFFECTED
[Products]               WinOS running Wingate 2.1
[Tools]
[Links]                  PROBLEM
                         The problem is in the WinGate LogFile service
                         being accessable to anyone by default and poor
                         programming on the part of
                         Deerfield Communications Company.

                         IMPACT
                         If the LogFile service is not reconfigured after
                         install then any remote user can access the
                         WinGate servers harddrive having readaccess to any
                         file on the same drive as the WinGate
                         installation.

                         EXPLOIT
                         WinGate servers that are running the LogFile
                         Service, listen for connections on TCP Port 8010.
                         By opening a HTTP session to this port you will
                         either get a "connection cannot be established" or
                         a listing of directories on the remote drive
                         wingate was installed upon.

                         SOLUTION
                         Under your WinGate "GateKeeper" make sure your
                         LogFile Service Bindings do not allow connections
                         coming in on any interface. Basically as with any
                         WinGate situation, deny access from all IP's
                         except for the
                         trusted IPs on your internal network or possbile
                         remote IPs that you might use to check your system
                         from a remote location.

                         NOTE
                         This is the second time that Rhino9 has released
                         an advisory about WinGate. WinGate was recently
                         recoded to stop the "WinGate bounce exploit" and
                         will need to be recoded or patched for this
                         current advisory. We are not knocking WinGate...
                         it is a good product just needs some work. WinGate
                         can be almost unbreakable if you configure it
                         right by only allowing trusted IPs etc...

                         The contents of this advisory are Copyright (c)
                         1998 the Rhino9 security research team, this
                         document may be distributed freely, as long as
                         proper credit is given.

                         [Image]

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]