Slashdot Mirror
Microsoft PPTP Buffer Overflow; VPNs Vulnerable
An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.
TODO: Something witty here...
From the advisory:
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise can not be excluded,
as we were able to fill EDI and EDX with our data.
It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
These vulnerabilities only allow DoS attacks, not intercepting data. The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
Promote proofreading. Don't mod up sloppy posts.
Thank goodness they will be keeping this information from the people who will do bad things with it. I'm sure that the script kiddies would never share this information with each other! Besides the nice people who are installing these systems really should be on a "need to know" basis anyways....
Screw the end user.
isnt great that the community debugs microsoft's security software for free? they probably dont event try to test it anymore since they can rely on everyone finding the holes and reporting it immediately on slashdot.
In a stunning revalation, a string of recent articles indexed by Slashdot.org, an internet news resource for the technically inclined, declares that software is not perfect.
"For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."
Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.
"If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"
One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."
paintball
This kind of information is only going to be considered "handed on a plate" to the inexperienced/newbie script kiddie who poses a minor threat. The kind of person who is going to do real damage, who has the skills and experience to aggressively hack a system is not going to gain anything from public disclosure, they will already know about the exploit. Limiting release only protects the vendor from the incessant cry for a fix..
WTF, I just patched that box 3 minutes ago!!
Yea, so what? They won't have a patch ready for weeks. I'm going to play golf.
It is acting kinda strange. You better reboot, just to be sure.
The server's down? Again??
It can't be down. I rebooted it 5 minutes ago.
Naw, they won't bother us. It's not like we're the DOD or something.
Don't bug me now. I've almost got high score on Pinball.
Sure, I've heard of Linux. It sucks!
CNET has more details on this problem:
cnet technews
From the article:
"This is top priority","We are proceeding with all due speed." - Christopher Budd, Microsoft security response center
Who still runs PPTP? It was found to be under-secured a while back. Everyone should have moved on to a more standard and secure technology by now. PPTP was good back when VPNs were new and hard to set up, but that time is long gone.
One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.
This means that gazillions of machines using a "secure" ADSL channel are now vulnerable.
Ho Hum. Am I glad not to be using LoseDows.
IIRC PPTP was not available on NT 4.0 unless you installed the later released RRAS (Routing and Remote Access Server).
I would expect RRAS to also be vulnerable but, there won't be a patch for it due to discontinued support.
>>The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
Hello, RIAA. We have a business opportunity for you...
Only on Slashdot would people complain about this. Didn't your mom ever complain about leaving the iron or stove on, and she had to drive all the way home to turn it off? This is obviously a remote shutdown mechanism put in place to allow sysadmins to turn their machines off if necessary, from home. No more late night runs to your cube! It's kind of like an "Easter Egg", if you will.
Man, we praise Tivo for allowing a certain series of keystrokes to allow 30-second fast-forwarding (or is that ReplayTV, I don't remember). But when MICROSOFT has secret, useful features in place.... we rip them apart! Come on people!
(yes, it's humor, calm down)
The initials are the same! It's not a bug - it's an example of embrace and extend!
Disclaimer: There are various (unofficial) levels of MCSE-- Some may not know how to play Minesweeper or Solitaire.
Disclaimer #2: I'm studying for a MCSE.
This is an extremely bad bug; VPN software is deployed to protect intranets whilst allowing machines outside to connect- often it is the only thing between an intranet and the outside world.
This is a really, really worrying thing; if an exploit rather than just a DOS exists, and they indicate that they think it probably is there, it's a huge hole in tens of thousands of firewalls worldwide.
You've always got a choice; open source, or open wallet; now you've got open firewall too, thrown in at no extra charge. Nice!
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Sure, sloppy code and security holes are as bad as watered down drinks at a topless bar, but don't we get paid to stop crap like that from being perpetrated on our networks? Microsoft makes me look like a hero as far as security goes.
Yes, Mr. Customer, I did charge you quite a bit, but I have enclosed a listing of the bugs and security flaws that I patched while I was here. These are things you usually never know about until you get burned by them, but I feel I owe it to you to stay on top of them and help you stay current...
Microsoft+Bugs+Patches=Value added for me
Keep up the good work, Bill!
I'd be curious to know how many are buffer overflows. Seems like at least 50% are. What would it take for Microsot to incur the overhead of checking array bounds? Java seems to do this implicitly, and it works OK for tons of applications. Ever heard of a buffer overflow EXPLOIT in Java (sure, you could get an ArrayIndexOutOfBoundsException, but it wouldn't let arbitrary code run).
Your sarcasm is noted.
I write code and I've let more bugs out than I could possibly remember. They happen, it's part of the game. But two things make this type of thing mock-worthy. 1) MS has more net worth than most countries. They need to be held to a standard that their size and resources dictates. 2) Bill has quite publicly stated that security is now their number one priority. I for one have not seen any improvement in that department.
-B
Me: 'kay, what are we using?
IT guy: eSmith VPN
Me: Which is? PPTP VPN? IpSec?
IT guy: What? Use Windows 2K VPN to connect.
Me: Uh, right. I'll be using PPTP on my linux box, is that all right?
IT guy: No way!
Me: Why not?
IT guy: It's not on the approved software list, therefore it's a potential security risk.
Me: Uhhh... all right. Then I'll use Win2K VPN.
IT guy: Really?
Me: Sure, as far as you know.
Which pretty much sums up commercial IT. Better the devil you know than the devil you don't.
If you were blocking sigs, you wouldn't have to read this.