|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Counterpane PPTP paper
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Counterpane PPTP paper
- From: Aleph One <aleph1nationwide.net>
- Date: Mon, 1 Jun 1998 11:04:11 -0500
- Comments: cc: ntsecurityiss.net, brian_mcwilliamspcworld.com
- Reply-To: Aleph One <aleph1nationwide.net>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
In case you havent seen it, Counterpane has released a paper describing a number of vulnerabilities in PPTP. You can find it at http://www.counterpane.com/pptp.html. Here is a small summary of the vulnerabilities described in the paper. 1) Breaking MS-CHAP. The fact that you can crack the challenge/responce via a dictionary attack has been know for a while. I mentioned in my posts to the list. What the paper shows is that it is easier than normal. In the case of MS-CHAP the the LANMAN hash is broken into three pieces. These three pieces can be cracked independently, just like the two sections of the LANMAN hash. They fail to mention the latest version of the software has the ability to not send the LANMAN based hash. 2) MPPE does not encrypted all PPP packets. Only those carrying data (protocol number between 0x0021 and 0x00fa). This means you can attack the PPP protocol itself like spoofing the configuration packet containing the DNS server info. 3) Claiming that PPTP is either 40-bit or 128-bit secure is missleading. The session key is derived from the users password. The password will have a much lower entropy. The only way to reach true 40-bit or 128-bit security is by generating a random session key. 4) They state that the same key is used in both direction. I mentioned this as well on my post. This is a no-no when using stream ciphers. 5) Since RC4 is an output-feedback mode stream cipher you can flip bits int the stream. This may be used to attack the protocol within the tunnel if the attacker can make a good guess at what the packets are. 6) They mention a resynchornization attack similar to the attack I describe. They fail to mention the new stateless mode of operation described in the new draft and implemented in the latest Windows NT PPTP update and Windows DUN 1.3 (is this out?) make this attack useless. 7) They describe how to obtain some information by passively monitoring the client/server communications. 8) Implementation errors on Windows NT that caused Blue Screens when malformed control channel packets where sent to it. I pointed at an example from a BugTraq subscribed in my ealier messages. 9) Windows 95 leaks information over the control channel by not zeroing buffers. Random data appears in them. Aleph One / aleph1
- Prev by Date: Re: New PPTP2 & RRAS20 Hotfixes
- Next by Date: PPTP: The never ending story
- Prev by thread: Re: New PPTP2 & RRAS20 Hotfixes
- Next by thread: Re: Counterpane PPTP paper
- Index(es):