WinGate version 2.1 Exploitable Vulnerability tested on Wingate version 2.1 SYSTEMS AFFECTED WinOS running Wingate 2.1 PROBLEM The problem is in the WinGate LogFile service being accessable to anyone by default and poor programming on the part of Deerfield Communications Company. IMPACT If the LogFile service is not reconfigured after install then any remote user can access the WinGate servers harddrive having readaccess to any file on the same drive as the WinGate installation. EXPLOIT WinGate servers that are running the LogFile Service, listen for connections on TCP Port 8010. By opening a HTTP session to this port you will either get a "connection cannot be established" or a listing of directories on the remote drive wingate was installed upon. SOLUTION Under your WinGate "GateKeeper" make sure your LogFile Service Bindings do not allow connections coming in on any interface. Basically as with any WinGate situation, deny access from all IP's except for the trusted IPs on your internal network or possbile remote IPs that you might use to check your system from a remote location. NOTE This is the second time that Rhino9 has released an advisory about WinGate. WinGate was recently recoded to stop the "WinGate bounce exploit" and will need to be recoded or patched for this current advisory. We are not knocking WinGate... it is a good product just needs some work. WinGate can be almost unbreakable if you configure it right by only allowing trusted IPs etc... The contents of this advisory are Copyright (c) 1998 the Rhino9 security research team, this document may be distributed freely, as long as proper credit is given.