PPTP Vulnerable to Attack
Reported July 13, 1998 by Aleph One on BugTraq

SYSTEMS AFFECTED
  • Microsoft Windows PPTP clients and servers

DESCRIPTION

From: Aleph One <aleph1@DFW.NET>
Subject: PPTP Password Theft Vulnerability
X-To: ntbugtraq@listserv.ntbugraq.com
X-cc: secure-nt@wwa.com, ntsecurity@iss.net
To: BUGTRAQ@NETSPACE.ORG

In case you didn"t catch it, I wrote a little article for Phrack summarizing the different PPTP vulnerabilities. All of it has already been discussed except for one item. I mentioned this vulnerability on NTBugTraq a couple of months ago but no one paid much attention.

To make it short, an attacker that can masquerade as a PPTP server (via DNS cache poisoning, etc) can obtain the connecting user"s password hashes if they user is naive enough to change his password when the server tells him his password has expired.

The problem affects both the Windows NT PPTP client with the latest updates and the latest Windows 95 Dial-Up Networking. Attached you will find a small program that demonstrates the problem. It fixes some minor bugs in the Phrack article (don"t you love -Wall -pedantic).

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01

SAMPLE SOURCE CODE

Download deceit.c by Aleph One, or view the source online.

MICROSOFT"S RESPONSE

A document about PPTP is located here.

 

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by: Aleph One on BugTraq
Posted here at NTSecurity.Net July 14, 1998