[pptp-server] blank username/password works!?
Justin Kreger
jkreger at avidsolutionsinc.com
Fri Mar 2 06:04:02 CST 2001
How it could be fixed:
check the lenth of the username and the secret after getting the secret, if
both are NULL (they would have to be for MSChap/MSChapV2 to even think about
working), write lets say, write an 8 bit random number into the password
field, or the username field, this would kill MSChapV2, it would go through
the process, and fail with Failed Username or Password.
on the subject of such things, is anybody aware of any win2k
incompatabilites with pppd?
-----Original Message-----
From: Gill, Vern [mailto:vgill at technologist.com]
Sent: Friday, March 02, 2001 1:13 AM
To: 'Andrew W. Davis'; pptp-server at lists.schulte.org
Subject: RE: [pptp-server] blank username/password works!?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Holy Toledo Batman!!!! You are correct!!! I does not appear to be the
guest user, either. The log file reads mschap auth succeeded for user
<blank>
This is a SERIOUS problem that I was not previously aware of. Thank
you for pointing that out... Wow!!! In testing I found that if you
actually specify a USERNAME in chap-secs it will fail on a blank
user.
I.E.
/etc/ppp/chap-secrets;
user1 * &/etc/samba/smbpasswd *
user2 * &/etc/samba/smbpasswd *
user3 * &/etc/samba/smbpasswd *
etc
etc
But it still allows users who are IN the file to work, even if they
DON'T exist in smbpasswd.
I.E.
/etc/smbpasswd;
user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXX:[U ]:LCT-XXXXXXXX:
user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX:[U ]:LCT-XXXXXXXX:
Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!!
This is REAL bad... Maybe this is something to seriously look at the
code for. Too bad I know NOTHING about coding. I would not be of ANY
assitance, but I would LOVE to hear if a "correction" is made to
this...
Thanks again for pointing this out....
- ---> Running to nearest computer terminal to secure his network
against intrusion
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOp85gBeamMdwy9TXEQLmUgCgksF290fkMVzt3P6l0GBfdYCZ+tAAniDo
WI3GQspdWQ3YoBhgXY/bPO2y
=/Gx7
-----END PGP SIGNATURE-----
_______________________________________________
pptp-server maillist - pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list