PPTP Vulnerable to Attack

PPTP Vulnerable to Attack
Reported July 13, 1998 by Aleph One on BugTraq


  • Microsoft Windows PPTP clients and servers


From: Aleph One <[email protected]>
Subject: PPTP Password Theft Vulnerability
X-To: [email protected]
X-cc: [email protected], [email protected]
To: [email protected]

In case you didn"t catch it, I wrote a little article for Phrack summarizing the different PPTP vulnerabilities. All of it has already been discussed except for one item. I mentioned this vulnerability on NTBugTraq a couple of months ago but no one paid much attention.

To make it short, an attacker that can masquerade as a PPTP server (via DNS cache poisoning, etc) can obtain the connecting user"s password hashes if they user is naive enough to change his password when the server tells him his password has expired.

The problem affects both the Windows NT PPTP client with the latest updates and the latest Windows 95 Dial-Up Networking. Attached you will find a small program that demonstrates the problem. It fixes some minor bugs in the Phrack article (don"t you love -Wall -pedantic).

Aleph One / [email protected]
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01


Download deceit.c by Aleph One, or view the source online.


A document about PPTP is located here.


To learn more about new NT security concerns, subscribe to NTSD.

Reported by: Aleph One on BugTraq
Posted here at NTSecurity.Net July 14, 1998

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.