From peter.grundl@DEFCOM.COM Thu Feb 15 00:46:23 2001 From: "[iso-8859-1] Peter Gründl" To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 14 Feb 2001 12:31:04 +0100 Subject: [BUGTRAQ] def-2001-07: Watchguard Firebox II PPTP DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-07 Watchguard Firebox II PPTP DoS Author: Andreas Sandor Release Date: 2001-02-14 ====================================================================== ------------------------=[Brief Description]=------------------------- By sending malformed PPTP packets to the Watchguard, it is possible to cause the PPTP Daemon to terminate. It requires a reboot, to restore PPTP functionality to the Watchguard. ------------------------=[Affected Systems]=-------------------------- Watchguard FireboxII Versions * Policy manager version 4.50-B1780 * Watchguard product version 4.50-612 Previous firmware versions are likely to be vulnerable as well. ----------------------=[Detailed Description]=------------------------ Connecting to the PPTP port with telnet roughly 12 times and disconnecting causes the PPTP Daemon to terminate. When it does so all connected users will be disconnected and no new connections will be acceppted. If you look at the traffic monitor during the attack, it will look like this: pptpd[113]: Watchguard pptpd 2.2.0 started pptpd[113]: Using interface pptp0 kernel: pptp0: daemon attached. pptpd[113]: Connect: pptp0 [0] <--> 10.2.0.7 pptpd[113]: User "test" at 10.45.0.150 logged in pptpd[113]: Add Host 7 10.45.0.150 pptp_users test succeeded pptpd[113]: Compression enabled pptpd[113]: Using PPTP encryption RC4 128-bit. pptpd[113]: Not using any PPTP software compression. pptpd[113]: Using stateless mode. pptpd[113]: Allowing unsafe packet transfer mode for lossy links. pptpd[113]: local IP address 10.45.0.9 pptpd[113]: remote IP address 10.45.0.150 pptpd[113]: found interface eth1 for proxy arp tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: received bad packet from 10.2.0.7 tunneld[95]: process_rfds: exceeded maximum number of consecutive bad packets from 10.2.0.7 pptpd[113]: Terminating on signal 2. pptpd[113]: Connection terminated. pptpd[113]: Persist flag not set, so we are exiting. kernel: pptp0: pptp_sock_close pptpd[113]: Drop Host 7 10.45.0.150 pptp_users test succeeded pptpd[113]: User "test" at 10.45.0.150 logged out pptpd[113]: Exit. tunneld[95]: TERMINATED init[1]: Pid 95: exit 0 The only way to get the daemon up again is by rebooting the firewall. ---------------------------=[Workaround]=----------------------------- Obtaining the patch for this issue requires membership of LiveSecurity http://www.watchguard.com/support Information about LiveSecurity can be obtained from the vendor http://www.watchguard.com -------------------------=[Vendor Response]=-------------------------- The Vendor was contacted January 24th, 2001 and a patch was released on the February 9th, 2001. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================