COMMAND

    PPTP

SYSTEMS AFFECTED

    Watchguard Firebox II PPTP

PROBLEM

    Following is  based on  a Defcom  Labs Advisory  def-2001-07.   By
    sending malformed PPTP packets  to the Watchguard, it  is possible
    to cause the PPTP Daemon to  terminate.  It requires a reboot,  to
    restore PPTP functionality to the Watchguard.

    This has been tested under:
    * Policy manager version 4.50-B1780
    * Watchguard product version 4.50-612

    Previous firmware versions are likely to be vulnerable as well.

    Connecting  to  the  PPTP  port  with  telnet roughly 12 times and
    disconnecting causes the PPTP Daemon  to terminate.  When it  does
    so all connected users will be disconnected and no new connections
    will be acceppted.

    If you look at the traffic monitor during the attack, it will look
    like this:

        pptpd[113]:  Watchguard pptpd 2.2.0 started
        pptpd[113]:  Using interface pptp0
        kernel:  pptp0: daemon attached.
        pptpd[113]:  Connect: pptp0 [0] <--> 10.2.0.7
        pptpd[113]:  User "test" at 10.45.0.150 logged in
        pptpd[113]:  Add Host 7 10.45.0.150 pptp_users test succeeded
        pptpd[113]:  Compression enabled
        pptpd[113]:  Using PPTP encryption RC4 128-bit.
        pptpd[113]:  Not using any PPTP software compression.
        pptpd[113]:  Using stateless mode.
        pptpd[113]:  Allowing unsafe packet transfer mode for lossy links.
        pptpd[113]:  local  IP address 10.45.0.9
        pptpd[113]:  remote IP address 10.45.0.150
        pptpd[113]:  found interface eth1 for proxy arp
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
        tunneld[95]:  process_rfds: exceeded maximum number of consecutive bad
        packets from 10.2.0.7
        pptpd[113]:  Terminating on signal 2.
        pptpd[113]:  Connection terminated.
        pptpd[113]:  Persist flag not set, so we are exiting.
        kernel:  pptp0: pptp_sock_close
        pptpd[113]:  Drop Host 7 10.45.0.150 pptp_users test succeeded
        pptpd[113]:  User "test" at 10.45.0.150 logged out
        pptpd[113]:  Exit.
        tunneld[95]:  TERMINATED
        init[1]:  Pid 95: exit 0

    The  only  way  to  get  the  daemon  up again is by rebooting the
    firewall.

SOLUTION

    Obtaining  the  patch  for  this  issue  requires  membership   of
    LiveSecurity.  The Vendor was  contacted January 24th, 2001 and  a
    patch was released on the February 9th, 2001.