[pptp-server] SMBpasswd security breach patch

James MacLean macleajb at EDnet.NS.CA
Wed Mar 7 19:22:51 CST 2001 

Hi Ian et al,

It is I who passed in the original offending pppsmb.pat patch that allowed
this security breach to occur :(. It has been some time since I made that
patch and did not recently even have an environement setup to test what
folks were seeing :(, but I managed to finally get a little testing done
from NT and Win98.

On Thu, 8 Mar 2001, Ian Harris wrote:

> Problem : Blank password allows people to access pptp connection
> See auth.c, line 1859 and following.

After applying the patch ;-). Thanks to Vern for getting the original
patch updated for the ppp-2.4.0 code.

> Note the by default 'word' is memcpy'd a blank string (actually \0 plus
> whatever ever else is hanging around after the \0 due to the '2', but that's
> beside the point).

/JES hides head. At that time I was testing " \000" and then settled on
"\000", but did not correct the copy. Ug :(.

>  And so, if the username is not discovered in the
> smbpasswd file, the password is compared with the blank 'word', which of
> course, results in access being granted.

I see this as happening because my code was allowing further testing to
occur further down in the code, when in fact the testing should have
stopped for that input line in chap-secrets when this part failed. You can
see in the section above for getting password from an @/<path>/<file> how
it had been done correctly before (using continue;).

> Quick fix is to whack something else in word that isn't likely to match, see
> below.
> Someone with more time could write this a little better, but this fixes the
> hole

That is one way ;-), but if someone new the special word copied in, it
might open another hole. Another would be as Godfrey Livingstone
<godfrey at hattaway-associates.com> has offered. The jist of that patch is
to not go through any further tests, and just go back to the top of the
loop (continue;) once no match is found and looking through the smbpasswd
file is exhausted.

As a fix for the original patch submitted I favor Godfrey's patch because
it fixes the hole that I made ;-/. Hope I am not sounding too picky :).

Justin also has some patches which have an effect, but Godfrey's hit the
nail on the head by fixing _my_ code :).

> regards
> Ian.

Great to see the OpenSource folks so quick to provide solutions to
problems that occur.

Sorry for trouble my hack caused, hope it still is usefull,
JES
--
James B. MacLean        macleajb at ednet.ns.ca
Department of Education http://www.ednet.ns.ca/~macleajb
Nova Scotia, Canada
B3M 4B2

More information about the pptp-server mailing list