home *** CD-ROM | disk | FTP | other *** search
- Problem:
- All of the wingate server settings are stored in "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate"
- This makes it possible for anyone with registry editing permissions (remote or physical) to change wingate
- settings.
-
- Details:
- With about 10 minutes of exploration of the wingate settings i was able to re-enable the Guest account (which I
- had disabled) and give it administration access with no password. Since all the settings for the wingate server are
- kept in the registry, it makes it possible to change anything about the server, from what the server returns on
- errors, to enabling or disabling services.
- The attacks I've currently experimented with have been as giving Guest admin access, this was accomplished by
- completing the following steps:
- -Locate the account in "HKEY_LOCAL_MACHINE\Sofware\Qbik
- Software\Wingate\UserDatabase\(username here)"in this case we will be looking for Guest, so all
- the options for guest are located under "HKEY_LOCAL_MACHINE\Sofware\Qbik
- Software\Wingate\UserDatabase\Guest" For my fingers sake, all keys or values I refer too, are under
- that directory for the moment.
- -Lets say that the guest account is not enabled, to find out if it is enabled the
- "AccountEnabled" value would be set to `0' or a way long number. If the account is enabled the
- "AccountEnabled" value would be set to `1'. Simple enough.
- -Now that the Guest Account is enabled, you want remove the guest account password out,
- the password is encrypted to me, which means we just cut it out. So set "Password" to nothing. Once
- again, very simple any one can do this.
- -And to finish up, we get into "HKEY_LOCAL_MACHINE\Sofware\Qbik
- Software\Wingate\UserDatabase\Administrators\Members" we add a numeric value to this key, call
- it the username you want to gain access with, and set it to zero.
-
- You will be required to restart the wingate engine to get any setting changes this way to work, but if
- you have physical access, this shouldn't be to hard, if you have remote access, using a DOS to restart
- the whole system, or possibly some sort of trojan to do kill and restart the process wouldn't be to
- difficult either.
-
- With full admin access to the system, you won't need to worry about using any other sort of registry
- configurations, but remember, that they may be logging, and that may cause problems. So you may
- also want to edit various other things in the registry. Since I've only spent about 30 minutes
- exploring this hole since first finding it, I can only give some ideas.
- "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate\Services" seems to contain some or
- most of the services, and their settings, it's a good idea to try and experiment on your own.
-
- Term's Final Thoughts:
- This hole is partly the administrator's fault for not putting any protection on the server's registry in
- the first place. But can also be blamed on the makers of Wingate for not throwing the configuration
- into a file and using some sort of encryption on it. Overall wingate is a great product when the OS is
- configured properly, and it is configured properly, I'm using it to get my other computers on the net
- over my dial up connection. Qbik Software has NOT been notified about this, because they don't
- need to be it's not really their problem. As always, this is for educational use only, and was not
- meant to gain access to someone else's server, I take no responsibility if you do that, it was your
- own damn fault that you got caught.
-
- Greets go out to Katesy, and Zarkov
-
- TermAnnex
- Craigm@mail.islandnet.com http://www.islandnet.com/~craigm/
- The 14.4 modems own you all!
-
