hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Jul 2 2004, 05:48 PM
QUOTE


I. BACKGROUND

WinGate is an Internet sharing and proxy application that allows for
monitoring and remote administration. More information is available at
http://www.wingate.com/product-wingate.php

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in Qbik WinGate
allows attackers to retrieve arbitrary system files.

WinGate authenticates proxy users via a Java applet served through a
built-in web server. The following request causes the server to retrieve
a file from its root directory which is equivalent to the install
directory:

    http://wingate.example.com/wingate-internal/filename

It is possible to retrieve arbitrary files outside the context of the
root directory by preceding the path with an extra slash in the case of
WinGate 5 and two extra slashes in the case of WinGate 6. For example:

    http://wingate5.example.com/wingate-internal//path
    http://wingate6.example.com/wingate-internal///path

III. ANALYSIS

Successful exploitation allows unauthenticated remote attackers to
retrieve the contents of arbitrary files. WinGate, by default, runs
under the context of localsystem allowing for the retrieval of backup
Windows SAM files.

IV. DETECTION

iDEFENSE has confirmed that WinGate version 5.2.3 build 901 and version
6.0 beta 2 build 942 are vulnerable. Version 5.0.5 is also reported as
vulnerable. It is suspected that earlier versions are vulnerable as
well.

V. WORKAROUND

Disable the WWW Proxy server.



Source: http://www.securitytracker.com/alerts/2004/Jul/1010632.html
Icarus
Jul 2 2004, 06:28 PM
interesting , thanks a lot wink.gif
nebojsa
Jul 2 2004, 10:33 PM
ok i tested it , works perfectly i download the system32/repair/sam from the remote host , this can be usefull if admin had make a backup of his sam file !
but for other case it s not very usefull because no rights of execution ...... or perhaps i missed something laugh.gif
slynx
Jul 2 2004, 10:40 PM
jeeze.... you know how many people use wingate? i don't but i remember it being
a large number....

thanx for the post
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.