It's late and this probably makes little sense. Here it is anyway. About a year ago I was involved in a discussion in the NTSecurity mailing list regarding the security of PPTP (Microsoft's Point-to-Point Tunneling Protocol). At the time I claimed that MS's badly written protocol and their choice of a stream cipher could be coerced into leaking information. Recently a few people have been asking if this is indeed the case. Strangely enough MS seems to be tight quiet about the subject and has responded to several email on the subject. Neither have I for that matter. I really haven't looked a PPTP since then and all my information was based from reading the protocol spec. Not from looking at bits in the wired. I've gotten enough inquiries (hi Vin) that I gave this thing a look again. MS has since published a new MPPE draft. Here I'll try to describe have I see as problems with PPTP. NOTICE: This is a late night hack. I am basing all my theories in the published specs for the different protocols. MS may have implemented things differently and all of this may just be a figment of my imagination. What's more the spec are rather vague and there is plenty of space for interpretation. As always if you want real answers break out the sniffer. The players: GRE - Is generic encapsulation protocol. As usual MS uses their own variant. GRE is described in RFC 1701 and 1702. PPP - A point-to-point networking protocol. PPTP - PPTP uses GRE to tunnel PPP and adds a connections setup and control protocol. For the details on the protocol check the PPTP Technical Specification at http://hooah.com/workshop/prog/prog-gen/pptp.htm. MS-CHAP - This is MS variant of CHAP. It is a challenge response authentication algorithm, it has nothing to do with encrypting the channel. Other than supplying the challenge. It also has two sub-protocols for changing passwords. The drafts are draft-ietf-pppext-mschap-00.txt. MPPE - Microsoft Point-To-Pint Encryption Protocol. This is the protocol in charge of generating a key and encrypting the session. The drafts are draft-ietf-pppext-mppe-00.txt and draft-ietf-pppext-mppe-01.txt. Top lever overview: PPTP creates a connection setup and control channel using TCP to the PPTP server. Using this connection PPTP establishes a new GRE tunnel. This GRE tunnel will carry PPP packets from the client to the server. The client will authenticate to the server via MS-CHAP and will then encrypt all PPP data packets using MPPE. Enough acronyms for you? Lets get dirty: PPTP PPTP creates a connection setup and control channel to the server via TCP. Originally this was port 5678. Later on MS changed it to 1723. This connection is not authenticated in any way. It is easy for Mallory to take over the TCP stream. She can know issue a Stop Session Request command. This will close the control channel and at the same time ALL active calls will be cleared. You may obtain the same results by RST'ing the TCP connection. YMMV. GRE PPP packets are encapsulated in GRE and tunneled via IP. GRE uses protocol number is 47. GRE packets are similar in some respects to TCP segments. They both may carry a sequence number and acknowledgement number. GRE also uses a sliding windows to avoid congestation. This has some important implications. It means that if we want to spoof PPP packets encapsulated in GRE we will desynchronize the GRE channel. A possible way around this is the use of the "S" flag in the GRE header. This flag tells the end point if this GRE packet has a sequence number. It is possible that a badly coded implementation will accept a GRE packet with data even if it does not have a sequence number. This is because in the original GRE standard the use of sequence numbers was optional. The spec does not mention how an end system should act if it receives a GRE packet with a duplicate sequence number. It may simply discard it and send another ACK. This would mean we do not need to resynchronize GRE at all! The other end will send an ACK for the the packet we spoofed and encapsulated PPP should not become desynchronized. Also it is interesting to note that the original GRE draft many options to do things like source routing that are left as implementation specific. If you open a hole in your firewall for GRE just so you can use PPTP you might be letting in more than you think. Someone with more time in their hands may want to investigate what NT does with hand crafted GRE packets. MS-CHAP MS-CHAP is a challenge response protocol. The server sends the client an 8 byte challenge. The client then computes a response by encrypting the challenge with the NT one way hash or with the LANMAN one way hash. It may compute and send both or just one. These can be easily sniffed and put through a tool like L0phtcrack. MS-CHAP has two sub-protocols for changing passwords. In version one the client encrypts the new and old hashes (NT & LANMAN) with the challenge the server sent over the wire. As you can imagine a passive attacker can simply decrypt the hashes and steal them. Version two is smarter. It encrypts the new hashes with the old hashes and encrypts the old hashes with the new hashes. Only the server which knows the old hashes will be able to decrypt the new hashes and use these to decrypt the old hashes and verify the user is who he says. Of curse all of this is vulnerable to a man in the middle attack. In a sense this is the same problem as Paul Ashton discussed with regards of Internet Explorer doing NTLM authentication with any web server. Also note that the server cant tell the client to only use the NT hashes. At best all it can do is fail to authenticate the client if it ever sends the LANMAN hashes, but at that point they will already have made it across the network. MPPE The are two drafts for MPPE. The Dec 1996 draft and the Apr 1998 one. (A year and a half for a draft revision?). I'll discuss the 1996 version first. MPPE uses RC4, a stream cipher, to encrypt the PPP datagrams. It currently supports session keys of 40 and 128 bit, although more key lengths can be defined. MMPE is actually negotiated as a PPP compression control protocol. The 40-bit session key is derived from the first 8 bytes of the LANMAN hash. This session key will be the same for all sessions. The 128-bit session key is derived from the first 16 of the MD4 hash of the first 16 bytes of the NT hash and the challenge sent by the server. Don't ask me why the need to hash the NT hash again. This session key will be different across sessions as long as the server sends different challenges. MPPE being a sub-protocol of PPP, a datagram protocol, does not expect a reliable link. Instead if maintains a 12 bit counter for each packet to keep the encryption tables synchronized. If it ever sees a packet with a packet count it is not expecting it sends a CCP Reset-Request packet to the other end to resynchronize the tables. The other end upon seeing a CCP Reset-Request packet will re-initialize the RC4 tables using the current session key. The next packet it sends will have the flushed bit set. This will indicate to the other end if should re-initialize is own tables. In this way the resynchronize. Note that the protocol draft is rather vague. For example it does not state if you have two coherency counts - one for each direction. This is the only sensible thing so I am assuming this is the way it works. Every time the low order byte of the sequence number equals 0xFF (every 256 packets) the session keys are regenerated based on the original session key and the current session key. The encrypted part of the packet contain a two(?) byte protocol ID followed by a network packet (e.g. IP header + TCP header + data). What does this all mean to us? Well it means we can force both ends of the connection to keep encrypting their packets with the same key until the low order sequence number reaches 256. For example assume that Alice and Bob has just set up the communication channel. They both have initialized they session key and expect a packet sequence of zero. Alice -> Bob Alice sends Bob a packet numbered zero encrypted the with the cipher stream generated by the RC4 cipher and increments her sent coherency count to one. Bob receives the packet, decrypts it, and increments his receive coherency count to 1. Mallory (Bob) -> Alice Mallory sends Alice a spoofed (remember this is a datagram protocol - assuming we don't desynchronize GRE) CCP Reset-Request packet. Alice Alice immediately re-initialized the RC4 tables to their original state. Alice -> Bob Alice sends another packet to Bob. This packet will be encrypted with the SAME cipher stream as the last packet. The packet will also have the FLUSHED bit set. This will make Bob re-initialize its own RC4 tables. Mallory can continue to play this game up to a total of 256 times after which the session key WILL be changed. By this point Mallory will have collected 256 packets from Alice to Bob all encrypted with the same cipher stream. Furthermore, since Alice and Bob start with the same session key in each direction Mallory can play the same game in the opposite direction, collection another 256 packets encrypted with the same cipher stream as the ones going from Alice to Bob!!! Now most of these encrypted packets will have very common structures (IP headers, TCP headers, etc). Any cryptoanalyst worth its salt should be able to decrypt the stream with this much data to work with. The Apr 1998 version of the draft add a "stateless mode" option to the negotiated packet. This option tells MPPE to change the session key after every packet. In the Security Consideration section they admit that different packets may be encrypted with the same key. They also added an option to use a 40-bit key derived from the NT hash. In the Security Considerations section they state that 40-bit session keys are the same across all sessions. This is wrong. Only the 40-bit session key derived from the LANMAN hash is the same across sessions. The 40-bit key derived from the NT hash is also derived from the MS-CHAP server challenge. This "stateless mode" seems like a band-aid. Why the hell are you going to change the session key of a stream cipher after each packet? By doing this you loose all the performance. If you are using a good algorithm, (and RC4 is good) then you should be able to use the session key longer than that. The problem is than attacker can force the protocol to reset it state. This is a no-no with stream ciphers. So instead of fixing the broken, unauthenticated CPP Reset-Request, and using the different session keys in each direction we see this hack. Under this new "stateless mode" Mallory can no longer force Alice and Bob the resynchronize to the same RC4 state. But Mallory can still make their life difficult. The draft states that if a receiver gets a packet with a coherency count larger than what it expects it must change its key as many times as needed to synchronize with the packet's coherency count so it can be unencrypted. Well what do you think happens if Alice expect a coherency count of zero and Mallory sends her a spoofed packet from Bob with a coherency count of 4095? Well she is going to perform 4095 key generations. Thats 4095 calls to the SHA hash function. Although SHA is a fast hash function a flood of these types of packets may drive the CPU usage noticeably high. More interesting is the fact that the draft does not state what happens when Bob then tries to send a real packet to Alice with a coherency count much lower than that expected by Alice in stateless mode. Alice cant go back to an earlier session key. She can only move forward. Are they now completely out of sync? I don't know. This is more someone else to find out. Implementation Bugs At least one denial of server bug has already been found in PPTP. Kevin Wormington posted a program to BugTraq in November of last year that will crash an NT server running PPTP. Who many more are just waiting to be found? http://www.geek-girl.com/bugtraq/1997_4/0386.html Conclusion: PPTP may be an useful tool if you don't have the most stringent security requirements, but if you do stay way from it. Although MS tried to build a secure protocol the are to many unauthenticated control packets that can be spoofed to make this a weak protocol. The lesson to be learned is that you must authenticate EVERYTHING. Call setup and control, retransmission, synchronization, etc. Comments, gifts, death threats are welcome. Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:17 PDT