Slashdot Mirror
Microsoft PPTP Buffer Overflow; VPNs Vulnerable
An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.
TODO: Something witty here...
From the advisory:
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise can not be excluded,
as we were able to fill EDI and EDX with our data.
It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
From what I see in the German brief on the exploit, this can write to the memory of the system. So does this mean the worst that can happen is to crash a Windows box?
Also, does this apply only to Windows systems using PPTP or to VPN hardware devices as well?
I didn't see any information in Windows NT 4.0. Does this mean that the vulnerability doesn't exist, or that they haven't tested it? (The site doesn't say.)
The difference between theory and practice is that, in theory, there is no difference between theory and practice.
From: sh@phion.com [mailto:sh@phion.com]
Sent: Thursday, September 26, 2002 5:44 AM
To: bugtraq@securityfocus.com
Subject: Microsoft PPTP Server and Client remote vulnerability
phion Security Advisory 26/09/2002
Microsoft PPTP Server and Client remote vulnerability
Summary
The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
remotely exploitable pre-authentication bufferoverflow.
Affected Systems
Microsoft Windows 2000 and XP running either a PPTP Server or Client.
Impact
With a specially crafted PPTP packet it is possible to overwrite kernel
memory.
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise should be possible deploying proper shellcode,
as we were able to fill EDI and EDX with our data.
Clients are vulnerable too, because the Service always listens on port
1723 on any interface of the machine, this might be of special concern
to DSL users which use PPTP to connect to their modem.
Solution
As a temporary solution for the Client issue, one might firewall the PPTP
port in the Internet Connection Firewall for Windows XP.
We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
The vendor has been informed.
Acknowledgements
The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
on behalf of phion Information Technologies.
Contact Information
phion Information Technologies can be reached via:
office@phion.com / http://www.phion.com
Stephan Hoffmann can be reached via:
sh@phion.com
Thomas Unterleitner can be reached via:
t.unterleitner@phion.com
References
[1] phion Information Technologies
http://www.phion.com/
Exploit
phion Information Technologies will not provide an exploit for this issue.
Disclaimer
This advisory does not claim to be complete or to be usable for any
purpose.
This advisory is free for open distribution in unmodified form.
Articles or Publications that are based on information from this advisory
have to include link [1].
These vulnerabilities only allow DoS attacks, not intercepting data. The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
Promote proofreading. Don't mod up sloppy posts.
Thank goodness they will be keeping this information from the people who will do bad things with it. I'm sure that the script kiddies would never share this information with each other! Besides the nice people who are installing these systems really should be on a "need to know" basis anyways....
Screw the end user.
isnt great that the community debugs microsoft's security software for free? they probably dont event try to test it anymore since they can rely on everyone finding the holes and reporting it immediately on slashdot.
In a stunning revalation, a string of recent articles indexed by Slashdot.org, an internet news resource for the technically inclined, declares that software is not perfect.
"For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."
Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.
"If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"
One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."
paintball
The Slashdot editors posted a link to a Microsoft-backed security organisation that is devoted to making the world a better place. Just because Microsoft, which has perpetrated just about every evil on the software industry imaginable, is the company backing this other company, doesn't mean it won't be completely impartial and cause security-related bugs to become freedom-loving United States citizens!
Slashdot is just full of trolls who can't understand that this is an ad hominem attack which means an argument that says whenever someone acts evil 100% of the time for 20 years you can't discount the possibility that this time they're acting to promote the greater good of mankind.
Just read the article, people! And I quote:
See? They're going to release drafts of the guidelines in early 2003. Nothing to worry about here, folks. Move along. DRM is good. Linux is bad. Stop worrying, buy your DVDs and CDs, and consume like you've never consumed before. If you don't like it, don't buy it. Microsoft is obligated to screw the consumer. There is no monopoly. The Justice Department meted out the justice already.
fifth sigma, inc.
This kind of information is only going to be considered "handed on a plate" to the inexperienced/newbie script kiddie who poses a minor threat. The kind of person who is going to do real damage, who has the skills and experience to aggressively hack a system is not going to gain anything from public disclosure, they will already know about the exploit. Limiting release only protects the vendor from the incessant cry for a fix..
What's an MSCE?
mstyne: real name, no gimmicks
phion Information Technologies will not provide an exploit for this issue.
In reference to remarks about lawsuits. This is a smart move, this would probably help against the getting-our-asses-sued-by-MS possibilities.
If they poke their own machines I don't think it quite counts the same as hacking somebody else's machine and then telling them they're vulnerable.
I was just recently looking at the possibilities of setting up a linux VPN, instead of opening up my Windows machines (/. never posted it, boohoo for me). This looks like a good reason to do it that way, anyone have suggestions? I've looked at freeS/WAN, but the online documentation is dead
I'm downloading the freeSwan files before their server gets slashdotted now too - phorm
The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
You mean like VA Software Corporation?
WTF, I just patched that box 3 minutes ago!!
Yea, so what? They won't have a patch ready for weeks. I'm going to play golf.
It is acting kinda strange. You better reboot, just to be sure.
The server's down? Again??
It can't be down. I rebooted it 5 minutes ago.
Naw, they won't bother us. It's not like we're the DOD or something.
Don't bug me now. I've almost got high score on Pinball.
Sure, I've heard of Linux. It sucks!
CNET has more details on this problem:
cnet technews
From the article:
"This is top priority","We are proceeding with all due speed." - Christopher Budd, Microsoft security response center
Its called Blue Screen of Death.. We're currently on tour with Buffer Overflow and Malicious Code.
Coming to a VPN near you...
"I love California. I practically grew up in Phoenix." -Dan Quayle
I spent months trying to get my IPTabled firewall to allow PPTP connections to my NT server. I doubt microsoft will address this since they have all but abandoned this type of VPN. Thats settles it IPSEC in tunneling mode here I come.
Who still runs PPTP? It was found to be under-secured a while back. Everyone should have moved on to a more standard and secure technology by now. PPTP was good back when VPNs were new and hard to set up, but that time is long gone.
One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.
PPTP's encryption algorithm was cracked years ago (in fact, about a month after it was introduced) by Bruce Schneier (sp?) et. al. and hasn't been considered safe ever since.
So now we have a buffer overflow exploit in a "VPN" product which was already known to be insecure. Another nail in PopTop's coffin, but little else.
At the time, Schneier referred to Micro$oft's clumsy attempts at do-it-yourself encryption as "Kindergarten Cryptography."
Nothing has changed much since then, except that maybe they've graduated to somewhere around Third Grade by now....
In times of universal deceit, telling the truth gets you modded -1 Troll
This means that gazillions of machines using a "secure" ADSL channel are now vulnerable.
Ho Hum. Am I glad not to be using LoseDows.
>>The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
Hello, RIAA. We have a business opportunity for you...
Only on Slashdot would people complain about this. Didn't your mom ever complain about leaving the iron or stove on, and she had to drive all the way home to turn it off? This is obviously a remote shutdown mechanism put in place to allow sysadmins to turn their machines off if necessary, from home. No more late night runs to your cube! It's kind of like an "Easter Egg", if you will.
Man, we praise Tivo for allowing a certain series of keystrokes to allow 30-second fast-forwarding (or is that ReplayTV, I don't remember). But when MICROSOFT has secret, useful features in place.... we rip them apart! Come on people!
(yes, it's humor, calm down)
The initials are the same! It's not a bug - it's an example of embrace and extend!
Software Wars
1. The first rule of Slashdot is to never miss a chance to slam MS and draw attention to its vulnerabilities.
2. Most Slashdot readers run Windows, whether they admit it or not. Many Slashdot readers also administer Windows boxes professionally therefore, such posts are important and informative.
What is the average of new MS bugs discovered per week? My guess would be around 3 a week.
Currently, we don't know if the PPTP bug is real or a fake. Anyone can write an advisory like this, and there is no way you can tell if they tell the truth or not, unless you look carefully at the source code.
Okay, maybe you can confirm that their claim is true using some black box testing. Unfortunately, the guys with the unlimited time budget aren't the good ones, usually.
I don't understand the purpose of this advisory, really (at least not from a technical perspective). I don't think anyone has got a policy to disable any services based on such information. Microsoft won't admit that there is a problem until they have got a some fix. The bad guys will work overtime to discover the exact nature of this security defect, and the good guys will work overtime as usual, but are busy with other issues.
Are you sure MS wants to release bugfree secure code. It's important for them that there users upgrade to the next big thing. More stable more secure more in kernelspace.
This will be number 54 if they officially issue a bulletin.
Sure, sloppy code and security holes are as bad as watered down drinks at a topless bar, but don't we get paid to stop crap like that from being perpetrated on our networks? Microsoft makes me look like a hero as far as security goes.
Yes, Mr. Customer, I did charge you quite a bit, but I have enclosed a listing of the bugs and security flaws that I patched while I was here. These are things you usually never know about until you get burned by them, but I feel I owe it to you to stay on top of them and help you stay current...
Microsoft+Bugs+Patches=Value added for me
Keep up the good work, Bill!
I'd be curious to know how many are buffer overflows. Seems like at least 50% are. What would it take for Microsot to incur the overhead of checking array bounds? Java seems to do this implicitly, and it works OK for tons of applications. Ever heard of a buffer overflow EXPLOIT in Java (sure, you could get an ArrayIndexOutOfBoundsException, but it wouldn't let arbitrary code run).
because MS moved on to IPSec based VPN. PPTP is not the VPN layer anymore. Win2k and XP have IPSec based VPN functionality build in.
Kindergarten cryptography? Don't think so.
Never underestimate the relief of true separation of Religion and State.
> These vulnerabilities only allow DoS attacks, not intercepting data.
Couldn't a hostile party use your server's pattern of up and down times as Morse code, to send secret messages or something?
Sheesh, evil *and* a jerk. -- Jade
Your sarcasm is noted.
I write code and I've let more bugs out than I could possibly remember. They happen, it's part of the game. But two things make this type of thing mock-worthy. 1) MS has more net worth than most countries. They need to be held to a standard that their size and resources dictates. 2) Bill has quite publicly stated that security is now their number one priority. I for one have not seen any improvement in that department.
-B
IPSec VPN is used nowadays. I doubt a lot of servers are harmed (NT4 uses PPTP VPN if you haven't installed a 3rd party product. Win2k server uses IPSec).
MS also said that they can't find a way to make this vulnerability to execute code on the target, vulnerable machine (CNet.com's article on this). An advisory from an unknown group which hasn't informed the vendor first but finds it necessary to cry out loud from the top of their lungs that they found a possible flaw in an old protocol and everyone should know about it, isn't very trustworthy IMHO. I think the german security group was running low on attention. Well, they got their attention now.
I hope next time they are not this stupid and think about the people who run vulnerable systems and first discuss the flaw with the vendor and after a period (say 3 weeks) publish the flaw.
Never underestimate the relief of true separation of Religion and State.
Frontpage 2000 server extensions: DoS
Frontpage 2002 server extensions: Run arbitrary code
The 2002 vulnerability, allowing arbitrary code to be run, shows how serious Microsoft was about $ecure computing.
There is only one response to these growing doubts about the quality of proprietary software. We must put a stopper in this aiding and abetting of vandalware.
It's okay if users whisper stories around the campfire about software bugs and hacking exploits, but we must make sure that they don't begin to peel back the layers of proprietary software and peer inside. After all, it is not the user's responsibility to worry about their welfare, they need to let the properly respected authorities handle things.
The best course of action is to deny all vulnerabilities reported on this slashdot. Next, we should use these open forums to ferret out and prosecute anyone caught trafficing in vandalware or any information that could be used to create such an atrocity. Developers and users alike must be taught that they have no business worrying about what goes on inside their computer, that is the job of Proprietary Makers of Software.
FreeS/WAN works, kinda, if you don't mind it taking over routing and a couple of other things with it. pipsecd is a lot simpler (just tunnels, and not even dynamic) to set up, for fixed point-to-point links.
If you don't have to interoperate with win32 peers (other than merely routing for them), I'd suggest tinc. A lot easier to deploy than IPSec variants (in my experience), it's quite good security, and the most easily manageable solution I've come across yet, especially for meshes of more than two machines.
Freshmeat has lots of other possibilities, I haven't even tried the majority, let alone all of them. I'm sure you'll find something that suits you're needs, though. =)
Paranoid
Bwaahahahahaa.
No, more likely they're using the Mongolian Hordes Technique. It's much more appropriate in this sense
The previous has been a secret message to my comrades.
These are not bugs, just extended features that have not been documented. In this case a remote administration tool.
Are you seriously proposing that security vendors should blackmail software companies? I can imagine that now:
Full disclosure is the only response that makes any sense at all. The end users should be able to decide for themselves if they should risk their information with unpatched software.
has microsoft not ... written some buffer overflow detection tools
MS Buffer Overflow was written, but it kept crashing. Some kind of overflow bug or something.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Any Walken quote deserves at least a +1 Funny ;)
if the vendor knows of a vulnerability and DOES NOT disclose it to US, YOU can expect to see us in court very soon, M$ or not. As far as making the whole exploit and gruesome details known to the public I can agree that it might be overkill and help the script kiddies, but letting your customers fly blind is criminal when you know better. We've already dropped IIS because of M$'s inability to keep it secure in the face of poor design, if they keep it up we'll begin dropping other components.
errr....umm...*whooosh* *whoosh* Is this thing on ?
So, what, you're so smart that you can do it in 10 minutes?
Fucker.
Why doesn't Microsoft set up software to run in the appropriate security context? When I log on as me, I might have lots of privileges on my computer and network. This does not mean that every application I run should have those privileges. By default applications like Internet Explorer run in the security context of the current user. That means that code in IE can do anything I can do. That does not make much sense most of the time. Ideally all applications (like those in these bug reports) should run with the absolute minimum of security rights. It should then be possible for me to grant applications more security rights as they need it. The problem here is not the technology - that is all there and working - it is the way defaults are set up and the UI for all of this stuff.
I would really like to hear more about how you set this up.
It's pretty straightforward but you must (through PPP negotiation) tell your PPTP clients where the WINS server is or you will not be able to go anywhere by name. We use PoPToP fairly regularly but are migrating to IPSec with certificates since Win2k supports it and it's a much better standard.
The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate.
Skript kiddies are not the problem. Let this message be shouted from the hills. A sckript kiddie scrawls his name on your corporate web page and leave a little egg on your face. They are harmless. The person you need to worry about a LOT is the hacker who knows what he is doing, who already knows your flaws, and is looking for your company secrets, your pre-patent diagrams, your strategy memos and he wants to sell to the highest bidder.
"Your superior intellect is no match for our puny weapons!"
This just in: People kill each other. I guess its just a fact of life, eh? ;)
Seriously tho, if you want to be the biggest player on the block, you'd better be prepared for more scrutiny. If you wanna be #1 in a market, you'll be the one wearing the biggest bullseye.
Just like bugs are a consequence of life, so are bullseyes. They have 40 billion in the bank to fight bugs with; most other companies do not. Where as other companies deserve some slack because they dont have these resources, MS does not.
"Old man yells at systemd"
I'm in an x86 assembly class right now, so I can tell you what you've said is true. I'm not expert on x86 or assembly in general (I studied 68k and a little PPC assembly years ago). Changing registers through a buffer overflow is a bit of a big deal, as those reside on the processor and not in memory. At this point, however, they haven't been able to change any registers which control program flow, so *for now* things are fine (as far as execution of arbitrary code is concerned).
CAn'T CompreHend SARcaSm?
...why has microsoft not bought or written some buffer overflow detection tools and done a complete sweep of their code base
I don't know if you're a programmer or not, but it's really not just that simple. Many pointers are completely dynamic, depending on many other dynamic things that simply couldn't possibly be found at compile-time.
And many times, you might pass a pointer off to a function (that is in a separate library), which then manipulates the memory pointed to, and passes a pointer off somewhere else, ad infinitum. It's just not always that easy in a reasonably complex peice of software to just find and erradicate buffer overflows.
Even the debug runtimes for MS VC++ aren't perfect; they simply allocate a couple extra bytes on either side of any allocated memory, and if those bytes are touched a breakpoint is called the *next* time you access a memory-related function. Which doesn't always help (especially in a multi-threaded program).
Sorry for the rant, but I've been knee-deep in VC++ all day hunting buffer issues (not security-related but still a pain). It's very easy to over-step what you allocated, especially when you're several functions (and possibly several DLL's) away from where you started...
NGWave - Fast Sound Editor for Windows
I don't think that is true, clearly Microsoft has improved enormously in the last year or so as there are far more bug fixes. It's not as if Microsoft, now concerned with security started producing software that was more defective then before.
I think there are two variables at play; one being that security is a larger field and more people are looking for defects in Microsoft's code, and not just Microsoft, you'll notice that there are not more exploits in other operating systems, such as Linux and even OpenBSD. Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).
It seems clear that Microsoft is more focused on security now then ever before, this doesn't mean we'll be hearing more about bugs, it means will be hearing about them more!
-Jon
this is my sig.
Look at the link that Tweek posted. They are being very careful not to piss off the server market. Windows 95 support started to disappear without warning. Compare that decision to the page Tweek referenced and you'll see the difference in attitude.
Comment removed based on user account deletion
I don't really need server names, the main purpose is just for sharing certain files and/or IPX/SPX connections (for LAN games). No need for domain names as nobody will be using this connection to go anywhere but in.
I mean you need to send the WINS server info so you can get NetBIOS resolution. i.e. \\someserver instead of \\server.ip.address.here.
What are you doing to implement [Win2k x509 IPSec]?
This is where I got started. I was most confused when creating the certificates, and later (on win2k) when I realized that the software it asks you to install is just a wrapper for the code win2k already has.
Funny how things supposed to protect us are requiring a so much more complex technology that bugs bite back and achieve exactly the opposite of what's it's supposed to add in the first place, security.
It's very easy, and almost predictable, to "out-smart" yourself.
I'm not sure of the origin, but I think KISS originated in Lockheed's Skunkworks. The original "stupid" was probably something like a 19-year-old PhD from MIT. The real battle is against Mother Nature, and she's got enough tricks up her sleeve so that, comparatively, *everybody* is stupid.
"Microsoft treats security vulnerabilities as public relations problems" Bruce Schneier.
In a world that is Free and Open, who needs Windows and Gates?
Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).
This is simply a method of sending out updates. It may or may not have anything to do with fixing bugs. Indeed it could just as easily ensure that buggy code gets distributed quickly.
Me: 'kay, what are we using?
IT guy: eSmith VPN
Me: Which is? PPTP VPN? IpSec?
IT guy: What? Use Windows 2K VPN to connect.
Me: Uh, right. I'll be using PPTP on my linux box, is that all right?
IT guy: No way!
Me: Why not?
IT guy: It's not on the approved software list, therefore it's a potential security risk.
Me: Uhhh... all right. Then I'll use Win2K VPN.
IT guy: Really?
Me: Sure, as far as you know.
Which pretty much sums up commercial IT. Better the devil you know than the devil you don't.
If you were blocking sigs, you wouldn't have to read this.
but there's no excuse these days
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Phion is an AUSTRIAN company. Yes, this is a huge difference.
http://www.phion.com/contact/