Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1291
HistoryFeb 14, 2001 - 12:00 a.m.

def-2001-07: Watchguard Firebox II PPTP DoS

2001-02-1400:00:00
vulners.com
57
JSON

======================================================================
Defcom Labs Advisory def-2001-07

 Watchguard Firebox II PPTP DoS

Author: Andreas Sandor <[email protected]>
Release Date: 2001-02-14

------------------------=[Brief Description]=-------------------------
By sending malformed PPTP packets to the Watchguard, it is possible to
cause the PPTP Daemon to terminate. It requires a reboot, to restore
PPTP functionality to the Watchguard.

------------------------=[Affected Systems]=--------------------------
Watchguard FireboxII
Versions

  • Policy manager version 4.50-B1780
  • Watchguard product version 4.50-612
    Previous firmware versions are likely to be vulnerable as well.

----------------------=[Detailed Description]=------------------------
Connecting to the PPTP port with telnet roughly 12 times and
disconnecting causes the PPTP Daemon to terminate. When it does so all
connected users will be disconnected and no new connections will be
acceppted.

If you look at the traffic monitor during the attack, it will look
like this:

pptpd[113]: Watchguard pptpd 2.2.0 started
pptpd[113]: Using interface pptp0
kernel: pptp0: daemon attached.
pptpd[113]: Connect: pptp0 [0] <–> 10.2.0.7
pptpd[113]: User "test" at 10.45.0.150 logged in
pptpd[113]: Add Host 7 10.45.0.150 pptp_users test succeeded
pptpd[113]: Compression enabled
pptpd[113]: Using PPTP encryption RC4 128-bit.
pptpd[113]: Not using any PPTP software compression.
pptpd[113]: Using stateless mode.
pptpd[113]: Allowing unsafe packet transfer mode for lossy links.
pptpd[113]: local IP address 10.45.0.9
pptpd[113]: remote IP address 10.45.0.150
pptpd[113]: found interface eth1 for proxy arp
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: received bad packet from 10.2.0.7
tunneld[95]: process_rfds: exceeded maximum number of consecutive bad
packets from 10.2.0.7
pptpd[113]: Terminating on signal 2.
pptpd[113]: Connection terminated.
pptpd[113]: Persist flag not set, so we are exiting.
kernel: pptp0: pptp_sock_close
pptpd[113]: Drop Host 7 10.45.0.150 pptp_users test succeeded
pptpd[113]: User "test" at 10.45.0.150 logged out
pptpd[113]: Exit.
tunneld[95]: TERMINATED
init[1]: Pid 95: exit 0

The only way to get the daemon up again is by rebooting the firewall.

---------------------------=[Workaround]=-----------------------------
Obtaining the patch for this issue requires membership of LiveSecurity
http://www.watchguard.com/support

Information about LiveSecurity can be obtained from the vendor
http://www.watchguard.com

-------------------------=[Vendor Response]=--------------------------
The Vendor was contacted January 24th, 2001 and a patch was released
on the February 9th, 2001.

======================================================================
This release was brought to you by Defcom Labs

          [email protected]             www.defcom.com

======================================================================

JSON