Microsoft pptp vpn vulnerabilities Exploits in Action

© SANS Institute 2000 - 200
                                                5
, Author retains full rights.
 
 
 
 
 
 
 
 
 
 
 
 
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 
 
© SANS Institute 2000 - 200
5                                                                                                                 
Author retains full rights.
43
PPTP Attack #1:
Didn't crash it instantly as was reported on NTBugtraq by Kirk Corey 
kcorey@DSI-INC.NET
,  but did notice that server went from 0% CPU utilization 
to starting to climb, it would fluctuate about 10% for example, 3 to 13, 4 to 14, 5 
to 15, as high as 15,but did not go down.
As soon as the attack stopped it would drop back to 0-1% (normal).
Tested to see if it is at least a DoS to prevent PPTP clients from 
connecting to server, results were: 
Attack did make server unresponsive to PPTP requests even after the 
attack was over, though the system was back down to 0-1%. The client never 
received a completed handshake response and would time out. The server 
"appeared" normal, so, on a hunch I decided to reboot the system, as soon as I 
started the "Restart windows" process, the system dumped to blue screen with 
the following message:
"*** STOP: 0X0000001E (0XC00000005,0x00000000,0x00000028)
KMODE_EXCEPTION_NOT_HANDLED"
This machine had only been up for a few hours.
The server system was a custom built, no-name brand
Server: NT 4.0 Enterprise Server, (Default install comes with SP3), regular RAS 
PPTP.
Pentium 233MMX
256 MB EDO RAM
ATI All in wonder video card
SB AWE32 ISA sound card
AWARD BIOS version 4.51PG
Motherboard TX97-E Asus
Note: tried this on various very different configurations of hardware, and had 
basically the same exact results.
Verification with same system:
Verified client could connect.
Disconnected client.
Ran attack
Results:
Only ran the attack for 30 seconds, during which time the client couldn't finish 
establishing a connection.
After stopping the attack, all further attempts by client to connect failed.
Same result, start> shutdown> shutdown, it closes windows, and then blue 
screens.
Message this time same except (0xc0000005,0x8016D0CE,0x000....)
Same test as above but attack for only 5 seconds:
Results:
0

Download 2 Mb.

Do'stlaringiz bilan baham: