COMMAND

    Wingate

SYSTEMS AFFECTED

    Wingate 3.0

PROBLEM

    Following is based on eEye Digital Security Advisory.  WinGate 3.0
    has three vulnerabilities:

        1. Read any file on the remote system.
        2. DoS the WinGate service.
        3. Decrypt WinGate passwords.

    1. Read any file on the remote system
    =====================================
    The WinGate Log File  service in the past  has had holes were  you
    can read any  file on the  system and the  holes still seem  to be
    there and some new ways of doing it have cropped up.

        http://www.server.com:8010/c:/ - NT/Win9x
        http://www.server.com:8010// - NT/Win9x
        http://www.server.com:8010/..../ - Win9x

    Each of the above URLs will list all files on the remote  machine.
    There are a few reasons why we  were not sure if we were going  to
    post this information.   By default all  WinGate services are  set
    so that only 127.0.0.1 can use  the service.  However the use  for
    the log file  service is to  let users remotely  view the logs  so
    therefore chances are  people using the  log file service  are not
    going to  be leaving  it on  127.0.0.1.   Also by  default in  the
    WinGate settings  "Browse" is  enabled.   We are  not sure  if the
    developers  intended  the  Browse  option  to  mean the whole hard
    drive.  The main reason eEye  did put this in the advisory  is the
    fact  that  the  average  person  using WinGate (Cable Modem Users
    etc..) are not the brightest of people and they will open the  Log
    Service so that everyone has access to it. We understand there are
    papers out there  saying not to  do this and  even the program  it
    self  says  not  to,  but  the  average  person  will not let this
    register in their head  as a bad thing  so the software should  at
    least make it as secure as possible.

    2. DoS the WinGate Service
    ==========================
    The  Winsock  Redirector  Service  sits  on  port  2080.  When you
    connect to  it and  send 2000  characters and  disconnect it  will
    crash all WinGate services.

    3. Decrypt the WinGate passwords
    ================================
    The registry keys where WinGate stores its passwords are  insecure
    and  let  everyone  read  them.   Therefore  anyone  can  get  the
    passwords and decrypt them.  Code follows:

        // ChrisA@eEye.com
        // Mike@eEye.com

        #include "stdafx.h"
        #include <stdio.h>
        #include <string.h>

        main(int argc, char *argv[]) {
        char i;

        for(i = 0; i < strlen(argv[1]); i++)
        putchar(argv[1][i]^(char)((i + 1) << 1));
        return 0;

        }

SOLUTION

    The news is WinGate is taking  steps to fix the problem. Look  for
    patches soon.