[ISN] Microsoft PPTP DoS Exploit, PPTP clients send user names in the clear via NetBIOS name services

From: mea culpa (jerichoat_private)
Date: Sun Jun 21 1998 - 23:10:14 PDT

Next message: mea culpa: "Re: [ISN] Microsoft PPTP DoS Exploit, ..NetBIOS.."

Previous message: mea culpa: "[ISN] ANSIR Security ALERT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Moderator: Bruce Schneir and Mudge recently released a paper on problems
 with the PPTP protocol. I haven't had a chance to read it yet, but I know
 from their past work it will be great. I mention this for further
 reading.]

From: Patrick Bryant <pbryantat_private>


1) EXPLOIT: MS PPTP can be subjected to a denial of service attack merely
by telnetting to port 1723 at the PPTP server, typing a few random
characters, and disconnecting.  The service is effectively shut down until
the server is rebooted.  By its very nature, most system administrators
must allow full access to this port in order to allow remote users access
to the system. 

IMPACT: Denial of service.

SOLUTION: The is no complete solution, however limiting access to TCP port
1723 at the firewall/router will reduce the scope of available attackers
(and also reduce the scope of available users) at the PPTP server. 

2) BACKGROUND: PPTP requires end-to-end connectivity for NetBOIS name
services at UDP port 137 in order to facilitate network browsing.  Without
this connectivity, shared objects on the remote server cannot be viewed in
"network neighborhood" (without a fallback to using NetBEUI).  Traffic
originating from the remote user on UDP port 137 *is not tunnled* in the
encrypted connection (via generic router encapsulation) but instead sent
in the clear. 

EXPLOIT: The name of the user is sent in the clear via UDP port 137
datagrams, which partially circumvents the purpose of the secure channel
offered by PPTP. 

SOLUTION: No complete solution.  Blocking UDP at both the remote user end
(which is difficult to accomplish) and at the server will stop the
transmission of the sensitive data contained in the datagrams.  The user
and server must then both be running NetBEUI to provide minimal network
browsing capability. 

--

See http://rs.internic.net/cgi-bin/whois?pb371
for additional contact information.


-o-
Subscribe: mail majordomoat_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

Next message: mea culpa: "Re: [ISN] Microsoft PPTP DoS Exploit, ..NetBIOS.."
Previous message: mea culpa: "[ISN] ANSIR Security ALERT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:30 PDT