Slashdot Mirror
Microsoft PPTP Buffer Overflow; VPNs Vulnerable
An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
From the advisory:
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise can not be excluded,
as we were able to fill EDI and EDX with our data.
It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
These vulnerabilities only allow DoS attacks, not intercepting data. The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
Promote proofreading. Don't mod up sloppy posts.
It means they haven't tested it (or at least, that Microsoft hasn't released the results of those tests), as that windows version "is no longer supported."
CNET has more details on this problem:
cnet technews
From the article:
"This is top priority","We are proceeding with all due speed." - Christopher Budd, Microsoft security response center
Who still runs PPTP? It was found to be under-secured a while back. Everyone should have moved on to a more standard and secure technology by now. PPTP was good back when VPNs were new and hard to set up, but that time is long gone.
One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.
PPTP's encryption algorithm was cracked years ago (in fact, about a month after it was introduced) by Bruce Schneier (sp?) et. al. and hasn't been considered safe ever since.
So now we have a buffer overflow exploit in a "VPN" product which was already known to be insecure. Another nail in PopTop's coffin, but little else.
At the time, Schneier referred to Micro$oft's clumsy attempts at do-it-yourself encryption as "Kindergarten Cryptography."
Nothing has changed much since then, except that maybe they've graduated to somewhere around Third Grade by now....
In times of universal deceit, telling the truth gets you modded -1 Troll
This means that gazillions of machines using a "secure" ADSL channel are now vulnerable.
Ho Hum. Am I glad not to be using LoseDows.
IIRC PPTP was not available on NT 4.0 unless you installed the later released RRAS (Routing and Remote Access Server).
I would expect RRAS to also be vulnerable but, there won't be a patch for it due to discontinued support.
That is not correct. You can install PPTP on NT4 without installing RRAS. RRAS just allows you to route through the VPN to create a server-to-server vs. a client-to-server VPN connection.