Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Watchguard Firebox PPTP VPN User Enumeration Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Watchguard Firebox PPTP VPN User Enumeration Vulnerability
Date: 6 Apr 2008 08:30:10 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Watchguard Firebox PPTP VPN User Enumeration Vulnerability
------------------------------------------------------------------------


SUMMARY

The  <http://www.watchguard.com/products/> Firebox X family of UTM 
security appliances delivers "the industry's best combination of strong 
security, reliability, and performance   all at a compelling price point". 
The PPTP VPN service offered by Watchguard Firebox allows valid usernames 
to be enumerated.

DETAILS

Vulnerable Systems:
 * Watchguard Firebox software prior to version 10

Immune Systems:
 * Watchguard Firebox software version 10

Technical Background:
The Watchguard Firebox can be configured to allow remote user access 
through the use of the PPTP VPN service. When enabled this can normally be 
detected remotely through the presence of an open TCP port (1723) and the 
device s acceptance of the GRE protocol (IP protocol number 47).

The PPTP VPN service uses MS-CHAPv2 for authentication. This relies on a 
challenge/response mechanism in order to successfully authenticate users. 
When a remote user attempts to authenticate with the PPTP VPN service, an 
MS-CHAPv2 packet should be returned indicating success or failure. Failure 
is indicated by the return of a code 4 MS-CHAPv2 packet. This packet will 
additionally contain a value in the form E=<error_number>  which indicates 
the type of error that occurred. A list of common error codes is given 
below: -
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD

The vulnerability occurs as a consequence of differences in the error 
codes returned in the failure packet which are dependent on whether or not 
the username supplied is valid. When a valid username is given with an 
incorrect password the following response is returned: -
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x444fc9b9> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap MS-v2> <magic 0xfa52b227> 
<pcomp> <accomp>]
sent [LCP ConfRej id=0x1 <pcomp>]
rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
sent [LCP ConfReq id=0x2 <magic 0x444fc9b9> <accomp>]
rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap MS-v2> <magic 0xfa52b227> 
<accomp>]
sent [LCP ConfAck id=0x2 <mru 338> <auth chap MS-v2> <magic 0xfa52b227> 
<accomp>]
rcvd [LCP ConfAck id=0x2 <magic 0x444fc9b9> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x444fc9b9]
rcvd [CHAP Challenge id=0x1 <d15340ea7112ac46f240e4f18fe2a278>, name = 
"watchguard"]
sent [CHAP Response id=0x1 
<73469ca9bed04ea6f0e5d1be49b47a1a0000000000000000f424ac68e12 
31f756e1657a2bc25efcd3b7ba78110bcf48201>, name = "valid_username"]
rcvd [LCP EchoRep id=0x0 magic=0xfa52b227]
rcvd [CHAP Failure id=0x1 "E=691 R=1 Try again"]
MS-CHAP authentication failed: E=691 Authentication failure
CHAP authentication failed

However, when an invalid username is supplied, the following response is 
received: -
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x9689f323> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 338> <auth chap MS-v2> <magic 0x245cdcee> 
<pcomp> <accomp>]
sent [LCP ConfRej id=0x1 <pcomp>]
rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
sent [LCP ConfReq id=0x2 <magic 0x9689f323> <accomp>]
rcvd [LCP ConfReq id=0x2 <mru 338> <auth chap MS-v2> <magic 0x245cdcee> 
<accomp>]
sent [LCP ConfAck id=0x2 <mru 338> <auth chap MS-v2> <magic 0x245cdcee> 
<accomp>]
rcvd [LCP ConfAck id=0x2 <magic 0x9689f323> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x9689f323]
rcvd [CHAP Challenge id=0x1 <d15340ea7112ac46f240e4f18fe2a278>, name = 
"watchguard"]
sent [CHAP Response id=0x1 
<73469ca9bed04ea6f0e5d1be49b47a1a0000000000000000f424ac68e12 
31f756e1657a2bc25efcd3b7ba78110bcf48201>, name = "invalid_username"]
rcvd [LCP EchoRep id=0x0 magic=0x245cdcee]
rcvd [CHAP Failure id=0x1 "E=649 R=1 Try again"]
MS-CHAP authentication failed: E=649
CHAP authentication failed

As can be seen, the error codes differ according to whether a valid or 
invalid username is supplied. A valid username results in an  E=691 
Authentication Failure  error response, whereas an invalid username 
results in an  E=649 No dialin permission  error response. This difference 
can be used to discriminate between valid and invalid users. The ability 
to determine valid usernames would allow an attacker to conduct password 
guessing attacks against the PPTP VPN service much more efficiently as 
they would be able to target only those usernames known to be valid. A 
compromised account could then be used to access the internal network 
normally protected by the PPTP VPN service. Additionally, it is common for 
organisations to use standard username formats across systems. Therefore, 
usernames determined to be valid may be used to aid an attacker in 
penetrating other systems. They may also be useful in conducting social 
engineering attacks, as knowledge of valid usernames may allow an attacker 
to appear to be more informed than an outsider would be expected to be.

Impact:
The impact of this vulnerability is that password guessing attacks can be 
performed much more efficiently by conducting them only against those 
usernames known to be valid. Additionally, these usernames may be valid on 
other systems and may also aid social engineering attacks.

Cause:
During the MS-CHAPv2 authentication handshake different error codes are 
returned depending on whether or not the username supplied is valid.

Interim Workaround:
The vulnerability cannot be used to request valid usernames but only to 
determine whether a given username is valid. Consequently, ensuring all 
usernames are difficult to guess will provide some protection against this 
vulnerability.

Solution:
Watchguard have addressed this issue as of version 10 of their Firebox 
software: -  <https://www.watchguard.com/archive/softwarecenter.asp> 
https://www.watchguard.com/archive/softwarecenter.asp

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1618> 
CVE-2008-1618


ADDITIONAL INFORMATION

The information has been provided by Luke Jennings.
The original article can be found at:  
<http://www.mwrinfosecurity.com/publications/mwri_watchguard-firebox-pptp-vpn-user-enumeration-advisory_2008-04-04.pdf>
 
http://www.mwrinfosecurity.com/publications/mwri_watchguard-firebox-pptp-vpn-user-enumeration-advisory_2008-04-04.pdf



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Watchguard Firebox PPTP VPN User Enumeration Vulnerability, SecuriTeam <=
Previous by Date:  [NT] Computer Associates Alert Notification Service Multiple RPC Buffer Overflow Vulnerabilities, SecuriTeam
Next by Date:  [EXPL] SCO UnixWare Merge mcd Local Root (Exploit), SecuriTeam
Previous by Thread:  [NT] Computer Associates Alert Notification Service Multiple RPC Buffer Overflow Vulnerabilities, SecuriTeam
Next by Thread:  [EXPL] SCO UnixWare Merge mcd Local Root (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]