[pptp-server] Patch blank password/username

Godfrey Livingstone godfrey at hattaway-associates.com
Tue Mar 6 19:36:27 CST 2001


Justin Kreger wrote:

> My entire view on this issue is to just check to see if no password was
> returned by get_secret, or if there is no lenth to the username. (I think i
> check more in the patch I wrote),  I have not tried livingstone's patch, and
> to be to the point, aslong as my patch works, I'm happy.  I really think
> this whole issue is a combonation of bugs.  The fact pppd never seems to
> block null user and passwords in the first place disturbs me.
>

I am glad that you are happy with your fix. But it is not the correct solution
as all you do is disallow password less than 3 characters long what if you
wanted a password to be three characters long? Also people may want to use * as
a password which means an actual * and not a blank in any case (try it and see).

As for

@@ -574,7 +573,19 @@
     if (!get_secret(cstate->unit, (explicit_remote? remote_name: rhostname),
       cstate->chal_name, secret, &secret_len, 1))
  warn("No CHAP secret found for authenticating %q", rhostname);
+        for (i = 0; i < 8; i++)
+          secret[i] = (char) (drand48() * 0xff);
+        secret_len = 8;

your extra code does nothing because the chap code would not let a user login in
any case if no password was returned.



>
> I think that the modification of the smbpasswd handling code is not where
> the change should have been.

I disagree it does not work fine it is the smbpasswd handling code that causes
the problem.


> It works just fine.  After reading
> Livingstone's code, it appears that he writes  something static into the
> returned password, causing it to fail, but that could be guessed, and an
> attacker could use that against pppd.
>

Sorry you are wrong I do not write anything into the returned password if user
is not found
in /etc/smbpasswd the original allows a blank string to be returned as the
password and thus the problem.


>
> I think this error could show its head again.  The smbpasswd code only
> broguht it up to the surface, but it was really there for a long time,
> aslong as get_secret returns an empty password in any case, this can
> continue.  As a whole, this is a pppd problem, not a smbpasswd reading
> problem.
>

No in this case it is a problem with the smbpasswd.



>
> Justin Kreger, MCP MCSE
> Network Administrator
> Avid Solutions, Inc.
>
> -----Original Message-----
> From: Godfrey Livingstone [mailto:godfrey at hattaway-associates.com]
> Sent: Tuesday, March 06, 2001 6:29 PM
> To: Robert Dege; pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] Patch blank password/username
>
> Robert the patch works for me the fact that it does not work for you
> concerns me I have
> just tried it using win9x and it works I do not get the error messages if
> there is a
> match.
>
> Did you download it using netscape by chance as netscape mangles patches?
>
> Any way if you have time can you try using wget or lynx to get the patch
> from
>
> http://www.hattaway.co.nz/raidpatches/blank_passwd_fix.diff
>
> I have also created what I think is a better patch if you would like to try
>
> http://www.hattaway.co.nz/raidpatches/blank_passwd_fix2.diff
>
> this tidies up the while loop considerably and should be faster.
>
> Godfrey
>
> Robert Dege wrote:
>
> > Not sure if anybody tried this or not, but Livingstone's extra patch
> > doesn't work correctly.  I couldn't logon using DUN whether I was
> > suppliying a user/passwd or not.  PPP was acting as if my USER field was
> > always NULL.  I kept getting an error message in the logs ("no secret in
> > samba secret file /etc/smbpasswd").  Once I replaced auth.c with the
> > original & recompiled, everything worked great.
> >
> > I tried using Justin's patch with my Win98 Laptop, and everything worked
> > as expected.
> >
> > user/pass      --> access
> > blank/pass    --> deny
> > blank/blank  --> deny
> > user/blank    --> deny
> >
> > Great job!
> >
> > -Rob
> >
> > Godfrey Livingstone wrote:
> >
> > > Justin your patch does work but the attached patch is tidier as soon as
> a match is
> > > found in smbpasswd then the while loop exits this also saves time if
> smbpasswd is
> > > large.
> > >
> > > I then check to see if smb == NULL if so then there is no match in
> smbpasswd file
> > > so skip to the next line of chap-secrets. No need to make up a secret
> which my
> > > potentially match ( I know the chance of that is very very small).
> > >
> > > Godfrey
> > >
> > > Justin Kreger wrote:
> > >
> > >>  In short, Diffrent means of authentication.  It may use the password
> file,
> > >> but it does not interact with samba's daemon processes.
> > >>
> > >> As for fixing this problem, I have written a patch.
> > >>
> > >> It fixes the two problems, the blank login/password  problem, and the
> > >> unknown user/blankpassword problem.
> > >>
> > >> Please TEST this ASAP with win9x, Both my win9x boxen think that they
> should
> > >> be only talking in CHAP, not MSCHAP, and I can't seem to find
> msdun128.exe
> > >> to fix it.
> > >>
> > >> (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested
> with
> > >> Windows NT Server 4, Service Pack 6)
> > >>
> > >> -Justin Kreger, MCP MCSE
> > >>
> > >> -----Original Message-----
> > >> From: robert
> > >> To: Cowles, Steve; pptp-server at lists.schulte.org
> > >> Sent: 3/2/01 9:24 PM
> > >> Subject: Re: [pptp-server] Yes, blank username/password works!
> > >>
> > >> I'm wondering if anyone has considered that if  you have a good guest
> > >> account
> > >> for samba, then samba will use that if a bad username/password is sent.
> > >>
> > >> Blank would definately count as bad.  I use blank password to list
> > >> shares,
> > >> i.e. smbclient -L somemachine and just hit enter when asked for a
> > >> password.
> > >> Logs show guest account is used and I do get the listing.  Could
> someone
> > >>
> > >> having this problem try disabling the guest account and seeing if the
> > >> problem
> > >> goes away?
> > >>
> > >> On Friday 02 March 2001 11:19, Cowles, Steve wrote:
> > >>
> > >>>> -----Original Message-----
> > >>>> From: Dread Boy [mailto:dreadboy at hotmail.com]
> > >>>> Sent: Friday, March 02, 2001 1:37 AM
> > >>>> To: pptp-server at lists.schulte.org; vgill at technologist.com
> > >>>> Subject: RE: [pptp-server] Yes, blank username/password works!
> > >>>>
> > >>>>
> > >>>> Yeah, and on top of all this it doesn't seem to matter what I
> > >>>> log in as, my username and password don't get carried over to
> > >>>> SAMBA for authenticating with server shares.
> > >>>
> > >>> Lets make sure we are comparing apples to apples here. The
> > >>> username/password that you specify in your windows PPTP dialup profile
> > >>
> > >> has
> > >>
> > >>> NEVER been carried over for share access. Please keep the following in
> > >>> mind...
> > >>>
> > >>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup
> > >>
> > >> profile
> > >>
> > >>> to authenticate the tunnel connection ONLY.
> > >>>
> > >>> 2) Share access uses the user/pass that you specified when you turned
> > >>
> > >> on
> > >>
> > >>> your PC and logged in to get to your desktop. FWIW: This same
> > >>
> > >> user/pass can
> > >>
> > >>> be specified in your PPTP dialup profile to be used to authenticate
> > >>
> > >> the
> > >>
> > >>> PPTP tunnel.
> > >>>
> > >>>> i.e.  Whether I use a valid username/password or the blank, I
> > >>>> still can not access resources (or possibly ACLs) on the
> > >>>> servers even with valid usernames.  On my local LAN it's no
> > >>>> problem, but remotely, it doesn't seem to know who I am while
> > >>>> I'm logged on.
> > >>>>
> > >>>> For example, when I click a share locally on my SAMBA server,
> > >>>> I can get into it and have certain rights based on my username/
> > >>>> password.  I don't even have to think about it. "security =
> > >>>> user" in /etc/smb.conf. However, when I log in remotely with
> > >>>> Windoze using my PPTPD Linux server, when I even try to access
> > >>>> the server itself (let alone the share) it keeps asking me for
> > >>>> the IPC$ administration password as if it was an NT server.
> > >>>> It doesn't matter what I enter here, I can't get any farther.
> > >>>
> > >>> From the samba docs...
> > >>>
> > >>> Some people find browsing fails because they don't have the global
> > >>> "guest account" set to a valid account.  Remember that the IPC$
> > >>> connection that lists the shares is done as guest, and thus you must
> > >>> have a valid guest account.
> > >>> ----------------------------
> > >>>
> > >>> Also, is the PPTP clients WORKGROUP participation set to match what
> > >>
> > >> the
> > >>
> > >>> clients on the LAN are configured to?
> > >>>
> > >>>> Does PPTPD know my SMB username but not my password, or vice
> > >>>> versa?  I thought maybe because it was encrypted using
> > >>>> libsmbpw.so that maybe it couldn't figure it out, but then
> > >>>> using chap-secrets plain-text passwords don't cut it either.
> > >>>>
> > >>>> Anyone know what this is all about?
> > >>>>
> > >>>> Geez, I thought this whole PPTPD Linux server was gonna be at
> > >>>> least a weekend of work, but it's turning out to be months
> > >>>> worth of work.
> > >>>
> > >>> With regards to the "subject" line of this thread... lets make sure we
> > >>
> > >> are
> > >>
> > >>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the
> > >>> reputation of being insecure without the following clarification being
> > >>> noted.
> > >>>
> > >>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP
> > >>
> > >> tunnel
> > >>
> > >>> authentication to use the libsmbpw.o lib's (smbpasswd), then your
> > >>
> > >> system
> > >>
> > >>> appears to be vulnerable to the blank user/pass exploit mentioned in
> > >>
> > >> this
> > >>
> > >>> thread.
> > >>>
> > >>> 2) Those of you who are still using the chap-secrets file (no
> > >>
> > >> re-direct)
> > >>
> > >>> for tunnel authentication are NOT vulnerable to the blank user/pass
> > >>
> > >> exploit
> > >>
> > >>> mentioned in this thread. I just verified this on my PopTop server! I
> > >>
> > >> do
> > >>
> > >>> not use the re-direct to libsmbpw.o
> > >>>
> > >>> Steve Cowles
> > >>> _______________________________________________
> > >>> pptp-server maillist  -  pptp-server at lists.schulte.org
> > >>> http://lists.schulte.org/mailman/listinfo/pptp-server
> > >>> List services provided by www.schulteconsulting.com!
> > >>
> > >> _______________________________________________
> > >> pptp-server maillist  -  pptp-server at lists.schulte.org
> > >> http://lists.schulte.org/mailman/listinfo/pptp-server
> > >> List services provided by www.schulteconsulting.com!
> > >>
> > >>
> ------------------------------------------------------------------------
> > >>                              Name: smbpasswdauthfix.patch
> > >>    smbpasswdauthfix.patch    Type: unspecified type
> (application/octet-stream)
> > >>                          Encoding: quoted-printable
> > >>
> > >>
> > >>
> ------------------------------------------------------------------------
> > >>
> > >> --- ppp-2.3.11/pppd/auth.c.org       Mon Mar  5 12:19:41 2001
> > >> +++ ppp-2.3.11/pppd/auth.c   Mon Mar  5 12:31:54 2001
> > >> @@ -1871,10 +1871,15 @@
> > >>              ) {
> > >>              memcpy(word, smbname, NTPASS);
> > >>              word[NTPASS]='\000';
> > >> +            break;
> > >>          }
> > >>
> > >>        }
> > >>        endsmbpwent();
> > >> +      if (smb == NULL) {
> > >> +      warn("no secret in samba secret file %s", atfile);
> > >> +      continue;
> > >> +      }
> > >>      }
> > >>  #endif
> > >>      if (secret != NULL)
> > >> blank_passwd_fix.diff
> > >>
> > >> Content-Type:
> > >>
> > >> text/plain
> > >> Content-Encoding:
> > >>
> > >> 7bit
> > >>
> > >>
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!




More information about the pptp-server mailing list