| PPTP Vulnerable to Attack |
Reported July 13, 1998 by Aleph One on BugTraq SYSTEMS AFFECTED
From: Aleph One <aleph1@DFW.NET>
In case you didn"t catch it, I wrote a little article for Phrack summarizing the different PPTP vulnerabilities. All of it has already been discussed except for one item. I mentioned this vulnerability on NTBugTraq a couple of months ago but no one paid much attention.
To make it short, an attacker that can masquerade as a PPTP server (via DNS cache poisoning, etc) can obtain the connecting user"s password hashes if they user is naive enough to change his password when the server tells him his password has expired.
The problem affects both the Windows NT PPTP client with the latest updates and the latest Windows 95 Dial-Up Networking. Attached you will find a small program that demonstrates the problem. It fixes some minor bugs in the Phrack article (don"t you love -Wall -pedantic).Aleph One / firstname.lastname@example.org
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 SAMPLE SOURCE CODE
A document about PPTP is located here.
To learn more about new NT security concerns, subscribe to NTSD.Credit:
Reported by: Aleph One on BugTraq
Posted here at NTSecurity.Net July 14, 1998