SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Encryption/VPN)  >   WatchGuard Firebox Vendors:   WatchGuard
Watchguard Firebox II VPN Feature (PPTP) Can Be Remotely Crashed
SecurityTracker Alert ID:  1000939
SecurityTracker URL:  http://securitytracker.com/id/1000939
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 16 2001
Original Entry Date:  Feb 16 2001
Impact:   Denial of service via network

Version(s): Policy manager version 4.50-B1780, Watchguard product version 4.50-612, possibly previous versions as well
Description:   It is reportedly possible to remotely cause the Watchguard PPTP daemon to crash by sending malformed PPTP packets to the firewall/VPN. After the crash, a reboot is required to restore PPTP functionality to the Watchguard device.

Defcom Labs reports that connecting to the PPTP port with telnet approximately 12 times and then disconnecting causes the PPTP daemon to terminate.

Impact:   When the PPTP daemon crashes, all connected users will be disconnected and no new connections will be acceppted. The device must be rebooted before the PPTP service will function properly.
Solution:   Obtain the patch from the vendor (requires a service contract).
Vendor URL:  www.watchguard.com/ (Links to External Site)
Cause:   Exception handling error

Message History:   None.


 Source Message Contents

Subject:  def-2001-07: Watchguard Firebox II PPTP DoS


======================================================================
                  Defcom Labs Advisory def-2001-07

     Watchguard Firebox II PPTP DoS

Author: Andreas Sandor <andreas.sandor@defcom.com>
Release Date: 2001-02-14
======================================================================
------------------------=[Brief Description]=-------------------------
By sending malformed PPTP packets to the Watchguard, it is possible to
cause the PPTP Daemon to terminate. It requires a reboot, to restore
PPTP functionality to the Watchguard.

------------------------=[Affected Systems]=--------------------------
Watchguard FireboxII
Versions
 * Policy manager version 4.50-B1780
 * Watchguard product version 4.50-612
Previous firmware versions are likely to be vulnerable as well.

----------------------=[Detailed Description]=------------------------
Connecting to the PPTP port with telnet roughly 12 times and
disconnecting causes the PPTP Daemon to terminate. When it does so all
connected users will be disconnected and no new connections will be
acceppted.

If you look at the traffic monitor during the attack, it will look
like this:

pptpd[113]:  Watchguard pptpd 2.2.0 started
pptpd[113]:  Using interface pptp0
kernel:  pptp0: daemon attached.
pptpd[113]:  Connect: pptp0 [0] <--> 10.2.0.7
pptpd[113]:  User "test" at 10.45.0.150 logged in
pptpd[113]:  Add Host 7 10.45.0.150 pptp_users test succeeded
pptpd[113]:  Compression enabled
pptpd[113]:  Using PPTP encryption RC4 128-bit.
pptpd[113]:  Not using any PPTP software compression.
pptpd[113]:  Using stateless mode.
pptpd[113]:  Allowing unsafe packet transfer mode for lossy links.
pptpd[113]:  local  IP address 10.45.0.9
pptpd[113]:  remote IP address 10.45.0.150
pptpd[113]:  found interface eth1 for proxy arp
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: received bad packet from 10.2.0.7
tunneld[95]:  process_rfds: exceeded maximum number of consecutive bad
packets from 10.2.0.7
pptpd[113]:  Terminating on signal 2.
pptpd[113]:  Connection terminated.
pptpd[113]:  Persist flag not set, so we are exiting.
kernel:  pptp0: pptp_sock_close
pptpd[113]:  Drop Host 7 10.45.0.150 pptp_users test succeeded
pptpd[113]:  User "test" at 10.45.0.150 logged out
pptpd[113]:  Exit.
tunneld[95]:  TERMINATED
init[1]:  Pid 95: exit 0

The only way to get the daemon up again is by rebooting the firewall.

---------------------------=[Workaround]=-----------------------------
Obtaining the patch for this issue requires membership of LiveSecurity
http://www.watchguard.com/support

Information about LiveSecurity can be obtained from the vendor
http://www.watchguard.com

-------------------------=[Vendor Response]=--------------------------
The Vendor was contacted January 24th, 2001 and a patch was released
on the February 9th, 2001.

======================================================================
            This release was brought to you by Defcom Labs

              labs@defcom.com             www.defcom.com
======================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC