COMMAND

    PPTP

SYSTEMS AFFECTED

    Win systems

PROBLEM

    Counterpane  has  released   a  paper  describing   a  number   of
    vulnerabilities in PPTP. You can find it at:

        http://www.counterpane.com/pptp.html

    Here is a small summary of the vulnerabilities described.

    1) Breaking   MS-CHAP.  The   fact  that   you  can   crack    the
       challenge/responce via a dictionary attack has been know for  a
       while.  What the paper shows is that it is easier than  normal.
       In  the  case  of  MS-CHAP  the  the LANMAN hash is broken into
       three pieces. These three pieces can be cracked  independently,
       just like the two  sections of the LANMAN  hash.  They fail  to
       mention the latest version of  the software has the ability  to
       not  send  the  LANMAN  based  hash.   Alan  Ramsbotton   added
       following.   Firstly,  outside  North  America  we only get the
       (not-quite) 40-bit version of PPTP  which IMO is a fairly  good
       reason for not touching it with a 10-foot pole.  Secondly, this
       weekends PPTP fix to prevent the LANMAN hashes being sent  only
       works  when  (not-quite)  128-bit  authentication is enabled on
       the client ..so we don't get that either.

    2) MPPE does  not encrypted all  PPP packets. Only  those carrying
       data (protocol  number between  0x0021 and  0x00fa). This means
       you  can  attack  the  PPP  protocol  itself  like spoofing the
       configuration packet containing the DNS server info.

    3) Claiming  that  PPTP  is  either  40-bit  or 128-bit secure  is
       missleading.   The  session  key  is  derived  from  the  users
       password.   The password  will have  a much  lower entropy. The
       only  way  to  reach  true  40-bit  or  128-bit  security is by
       generating a random session key.

    4) They state that the same key is used in both direction. This is
       a no-no when using stream ciphers.

    5) Since RC4 is an output-feedback mode stream cipher you can flip
       bits int the  stream. This may  be used to  attack the protocol
       within the tunnel if the attacker can make a good guess at what
       the packets are.

    6) They mention a  resynchornization attack. They fail  to mention
       the new stateless mode of operation described in the new  draft
       and  implemented  in  the  latest  Windows  NT  PPTP update and
       Windows DUN 1.3 (is this out?) make this attack useless.

    7) They  describe  how  to  obtain  some information by  passively
       monitoring the client/server communications.

    8) Implementation errors  on Windows NT  that caused Blue  Screens
       when malformed control channel packets where sent to it.

    9) Windows 95  leaks information over  the control channel  by not
       zeroing buffers. Random data appears in them.

    Some additional discussion by Alpeh One you can find at:

        http://listserv.ntbugtraq.com/scripts/wa-ntbt.exe?A2=ind9805&L=ntbugtraq&F=&S=&P=663
        http://listserv.ntbugtraq.com/scripts/wa-ntbt.exe?A2=ind9806&L=ntbugtraq&F=&S=&P=172
        http://listserv.ntbugtraq.com/scripts/wa-ntbt.exe?A2=ind9806&L=ntbugtraq&F=&S=&P=265

    The following software is affected by this vulnerability:

        - MS Dialup Networking 1.2x and earlier on Windows 95
        - MS Remote Access Services on Windows NT 4.0 (both client and
          server)
        - MS Routing and Remote Access Services on Win NT Server 4.0
        - Microsoft Windows 98 Dialup Networking

SOLUTION

    Microsoft claims they will  enhance the control channel  in future
    updates  to  authenticate  each  control  packet.  MS hotfix fixes
    something of it:

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/pptp2-fix

    Amongst other things  the PPTP fix  seems to implement  the latest
    MPPE spec functionality i.e. the fix to Aleph One's  reset-request
    attack.  Also includes the MSCHAP change to prevent LANMAN  hashes
    from  being  sent,  but  only  when  the  client is set to require
    128-bit  encryption.

    Microsoft also released a set of patches that fix several security
    issues  with  implementations  of  the  Point-to-Point   Tunneling
    Protocol  (PPTP)  used  in  Microsoft  Virtual  Private Networking
    (VPN) products.  Customers using affected software listed below to
    secure communcations  over a  public network  (i.e. the  Internet)
    should download and apply these patches as soon as possible.

    Potential vulnerabilities addressed by these updates include:

        - Dictionary  attack  against  the LAN Manager  authentication
          information
        - Password theft
        - PPTP server spoofing
        - Reuse of MPPE session keys

    Complete URLs for each affected software version is given below:

        *NT:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/pptp3-fix/
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/rras30-fix/

        *Win95:
        ftp://ftp.microsoft.com/softlib/mslfiles/msdun13.exe

        * Win98
        ftp://ftp.microsoft.com/softlib/mslfiles/dun40.exe