Problem:
All of the wingate server settings are stored in  "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate"
This makes it possible for anyone with registry editing permissions (remote or physical) to change wingate 
settings. 

Details:
With about 10 minutes of exploration of the wingate settings i was able to re-enable the Guest account (which I 
had disabled) and give it administration access with no password. Since all the settings for the wingate server are 
kept in the registry, it makes it possible to change anything about the server, from what the server returns on 
errors, to enabling or disabling services. 
The attacks I've currently experimented with have been as giving Guest admin access, this was accomplished by 
completing the following steps:
	-Locate the account in "HKEY_LOCAL_MACHINE\Sofware\Qbik 
Software\Wingate\UserDatabase\(username here)"in this case we will be looking for Guest, so all 
the options for guest are located under "HKEY_LOCAL_MACHINE\Sofware\Qbik 
Software\Wingate\UserDatabase\Guest" For my fingers sake, all keys or values I refer too, are under 
that directory for the moment.
	-Lets say that the guest account is not enabled, to find out if it is enabled the 
"AccountEnabled" value would be set to `0' or a way long number. If the account is enabled the 
"AccountEnabled" value would be set to `1'. Simple enough.
	-Now that the Guest Account is enabled, you want remove the guest account password out, 
the password is encrypted to me, which means we just cut it out. So set "Password" to nothing. Once 
again, very simple any one can do this.
	-And to finish up, we get into "HKEY_LOCAL_MACHINE\Sofware\Qbik 
Software\Wingate\UserDatabase\Administrators\Members" we add a numeric value to this key, call 
it the username you want to gain access with, and set it to zero.

You will be required to restart the wingate engine to get any setting changes this way to work, but if 
you have physical access, this shouldn't be to hard, if you have remote access, using a DOS to restart 
the whole system, or possibly some sort of trojan to do kill and restart the process wouldn't be to 
difficult either.

With full admin access to the system, you won't need to worry about using any other sort of registry 
configurations, but remember, that they may be logging, and that may cause problems. So you may 
also want to edit various other things in the registry. Since I've only spent about 30 minutes 
exploring this hole since first finding it, I can only give some ideas.
"HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate\Services" seems to contain some or 
most of the services, and their settings, it's a good idea to try and experiment on your own.

Term's Final Thoughts:
This hole is partly the administrator's fault for not putting any protection on the server's registry in 
the first place. But can also be blamed on the makers of Wingate for not throwing the configuration 
into a file and using some sort of encryption on it. Overall wingate is a great product when the OS is 
configured properly, and it is configured properly, I'm using it to get my other computers on the net 
over my dial up connection. Qbik Software has NOT been notified about this, because they don't 
need to be it's not really their problem. As always, this is for educational use only, and was not 
meant to gain access to someone else's server, I take no responsibility if you do that, it was your 
own damn fault that you got caught.

Greets go out to Katesy, and Zarkov

TermAnnex
Craigm@mail.islandnet.com http://www.islandnet.com/~craigm/
The 14.4 modems own you all!