Problem: All of the wingate server settings are stored in "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate" This makes it possible for anyone with registry editing permissions (remote or physical) to change wingate settings. Details: With about 10 minutes of exploration of the wingate settings i was able to re-enable the Guest account (which I had disabled) and give it administration access with no password. Since all the settings for the wingate server are kept in the registry, it makes it possible to change anything about the server, from what the server returns on errors, to enabling or disabling services. The attacks I've currently experimented with have been as giving Guest admin access, this was accomplished by completing the following steps: -Locate the account in "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate\UserDatabase\(username here)"in this case we will be looking for Guest, so all the options for guest are located under "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate\UserDatabase\Guest" For my fingers sake, all keys or values I refer too, are under that directory for the moment. -Lets say that the guest account is not enabled, to find out if it is enabled the "AccountEnabled" value would be set to `0' or a way long number. If the account is enabled the "AccountEnabled" value would be set to `1'. Simple enough. -Now that the Guest Account is enabled, you want remove the guest account password out, the password is encrypted to me, which means we just cut it out. So set "Password" to nothing. Once again, very simple any one can do this. -And to finish up, we get into "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate\UserDatabase\Administrators\Members" we add a numeric value to this key, call it the username you want to gain access with, and set it to zero. You will be required to restart the wingate engine to get any setting changes this way to work, but if you have physical access, this shouldn't be to hard, if you have remote access, using a DOS to restart the whole system, or possibly some sort of trojan to do kill and restart the process wouldn't be to difficult either. With full admin access to the system, you won't need to worry about using any other sort of registry configurations, but remember, that they may be logging, and that may cause problems. So you may also want to edit various other things in the registry. Since I've only spent about 30 minutes exploring this hole since first finding it, I can only give some ideas. "HKEY_LOCAL_MACHINE\Sofware\Qbik Software\Wingate\Services" seems to contain some or most of the services, and their settings, it's a good idea to try and experiment on your own. Term's Final Thoughts: This hole is partly the administrator's fault for not putting any protection on the server's registry in the first place. But can also be blamed on the makers of Wingate for not throwing the configuration into a file and using some sort of encryption on it. Overall wingate is a great product when the OS is configured properly, and it is configured properly, I'm using it to get my other computers on the net over my dial up connection. Qbik Software has NOT been notified about this, because they don't need to be it's not really their problem. As always, this is for educational use only, and was not meant to gain access to someone else's server, I take no responsibility if you do that, it was your own damn fault that you got caught. Greets go out to Katesy, and Zarkov TermAnnex Craigm@mail.islandnet.com http://www.islandnet.com/~craigm/ The 14.4 modems own you all!