[Moderator: Bruce Schneir and Mudge recently released a paper on problems
with the PPTP protocol. I haven't had a chance to read it yet, but I know
from their past work it will be great. I mention this for further
reading.]
From: Patrick Bryant <pbryant@pbryant.com>
1) EXPLOIT: MS PPTP can be subjected to a denial of service attack merely
by telnetting to port 1723 at the PPTP server, typing a few random
characters, and disconnecting. The service is effectively shut down until
the server is rebooted. By its very nature, most system administrators
must allow full access to this port in order to allow remote users access
to the system.
IMPACT: Denial of service.
SOLUTION: The is no complete solution, however limiting access to TCP port
1723 at the firewall/router will reduce the scope of available attackers
(and also reduce the scope of available users) at the PPTP server.
2) BACKGROUND: PPTP requires end-to-end connectivity for NetBOIS name
services at UDP port 137 in order to facilitate network browsing. Without
this connectivity, shared objects on the remote server cannot be viewed in
"network neighborhood" (without a fallback to using NetBEUI). Traffic
originating from the remote user on UDP port 137 *is not tunnled* in the
encrypted connection (via generic router encapsulation) but instead sent
in the clear.
EXPLOIT: The name of the user is sent in the clear via UDP port 137
datagrams, which partially circumvents the purpose of the secure channel
offered by PPTP.
SOLUTION: No complete solution. Blocking UDP at both the remote user end
(which is difficult to accomplish) and at the server will stop the
transmission of the sensitive data contained in the datagrams. The user
and server must then both be running NetBEUI to provide minimal network
browsing capability.
--
See http://rs.internic.net/cgi-bin/whois?pb371
for additional contact information.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Jun 22 08:27:59 1998