[ISN] Microsoft PPTP DoS Exploit, PPTP clients send user names in the clear via NetBIOS name services

From: mea culpa (jerichoat_private)
Date: Sun Jun 21 1998 - 23:10:14 PDT

  • Next message: mea culpa: "Re: [ISN] Microsoft PPTP DoS Exploit, ..NetBIOS.."

    [Moderator: Bruce Schneir and Mudge recently released a paper on problems
     with the PPTP protocol. I haven't had a chance to read it yet, but I know
     from their past work it will be great. I mention this for further
     reading.]
    
    From: Patrick Bryant <pbryantat_private>
    
    
    1) EXPLOIT: MS PPTP can be subjected to a denial of service attack merely
    by telnetting to port 1723 at the PPTP server, typing a few random
    characters, and disconnecting.  The service is effectively shut down until
    the server is rebooted.  By its very nature, most system administrators
    must allow full access to this port in order to allow remote users access
    to the system. 
    
    IMPACT: Denial of service.
    
    SOLUTION: The is no complete solution, however limiting access to TCP port
    1723 at the firewall/router will reduce the scope of available attackers
    (and also reduce the scope of available users) at the PPTP server. 
    
    2) BACKGROUND: PPTP requires end-to-end connectivity for NetBOIS name
    services at UDP port 137 in order to facilitate network browsing.  Without
    this connectivity, shared objects on the remote server cannot be viewed in
    "network neighborhood" (without a fallback to using NetBEUI).  Traffic
    originating from the remote user on UDP port 137 *is not tunnled* in the
    encrypted connection (via generic router encapsulation) but instead sent
    in the clear. 
    
    EXPLOIT: The name of the user is sent in the clear via UDP port 137
    datagrams, which partially circumvents the purpose of the secure channel
    offered by PPTP. 
    
    SOLUTION: No complete solution.  Blocking UDP at both the remote user end
    (which is difficult to accomplish) and at the server will stop the
    transmission of the sensitive data contained in the datagrams.  The user
    and server must then both be running NetBEUI to provide minimal network
    browsing capability. 
    
    --
    
    See http://rs.internic.net/cgi-bin/whois?pb371
    for additional contact information.
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:30 PDT