ALERT!!!!!!!! POTENTIAL SECURITY FLAW!!!!! POPTOP VPN SOFTWARE
vgill at technologist.com
Fri Mar 2 06:36:02 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Attention!!!! If you use poptop vpn server AND you use the patch for
ppp which allows you to use smbpasswd for chap-secrets logins, then
this is for you.
The following security issue has come up!
If you use the smbpasswd patch for ppp, and you ONLY specify
* * &/home/samba/smbpasswd *
in your chap-secrets file, YOU ARE WIDE OPEN!!!
I am running 2.2.16, ppp-2.4.0, and using that very patch, as well as
mppe, require-mppe, and mschapstripdomain, and in testing I found
that if you have just that entry, ANYONE CAN LOGIN USING A BLANK
USERNAME AND PASSWORD. If they specify a username that does not
exist, IT STILL WORKS!!!! Also, if you for some reason have a user
listed in chap-secrets that is NOT in smbpasswd, THEY CAN STILL LOG
The ONLY "secure" method I have found so far is by explicitly listing
ONLY the users you want to have vpn access in chap-screts, and for
each user using the &/home/samba/smbpasswd or wherever your file is.
This was discovered by another member on the poptop user list, I am
just forwarding that info here in case anyone uses this method of
authentication, as I am. Luckily they found it. Who knows what
systems have already been "penetrated"
I did NOT do any testing of access rights with any "false" logins, so
there may not be as big a security issue, but ANY login without a
valid user is a BIG problem in my book.
Again, only specify VALID users with the smbpasswd patch!!!
Share and enjoy...
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
More information about the samba-ntdom