Microsoft PPTP Server and Client remote vulnerability

From: sh@phion.com
Date: 09/26/02

Previous message: grazer@digit-labs.org: "Borland Interbase local root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
From: sh@phion.com
Date: Thu, 26 Sep 2002 12:43:46 +0300

phion Security Advisory 26/09/2002

Summary
-----------------------------

The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
remotely exploitable pre-authentication bufferoverflow.

Affected Systems
-----------------------------

Microsoft Windows 2000 and XP running either a PPTP Server or Client.

Impact
-----------------------------

With a specially crafted PPTP packet it is possible to overwrite kernel
memory.

A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.

A remote compromise should be possible deploying proper shellcode,
as we were able to fill EDI and EDX with our data.

   Clients are vulnerable too, because the Service always listens on port
   1723 on any interface of the machine, this might be of special concern
   to DSL users which use PPTP to connect to their modem.

Solution
-----------------------------

As a temporary solution for the Client issue, one might firewall the PPTP
port in the Internet Connection Firewall for Windows XP.

We dont know of any solution for Windows 2000 and Windows XP PPTP servers.

The vendor has been informed.

Acknowledgements
-----------------------------

The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
on behalf of phion Information Technologies.

Contact Information
-----------------------------

phion Information Technologies can be reached via:
office@phion.com / http://www.phion.com

Stephan Hoffmann can be reached via:
sh@phion.com

Thomas Unterleitner can be reached via:
t.unterleitner@phion.com

References
-----------------------------

[1] phion Information Technologies
http://www.phion.com/

Exploit
-----------------------------

phion Information Technologies will not provide an exploit for this issue.

Disclaimer
-----------------------------

This advisory does not claim to be complete or to be usable for any
purpose.

This advisory is free for open distribution in unmodified form.

Articles or Publications that are based on information from this advisory
have to include link [1].

Previous message: grazer@digit-labs.org: "Borland Interbase local root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: VPN/PPTP
... It is forced to PPTP and it still ... have even re-installed the tcp/ip software on the server ... and client and that did not help. ... a VPN connection using microsoft windows or they have the ...
(microsoft.public.windowsxp.work_remotely)
Microsoft PPTP Server and Client remote vulnerability
... Microsoft PPTP Server and Client remote vulnerability ... Microsoft Windows 2000 and XP running either a PPTP Server or Client. ... This advisory does not claim to be complete or to be usable for any ...
(NT-Bugtraq)
Re: additional routes for pptp vpn
... > Windows XP client to add this route? ... is there a way to configure the Windows 2003 PPTP server to force ... > the Windows PPTP client obtains the netmask from the IP address the PPTP ...
(microsoft.public.windows.server.networking)
Re: How secure is PPTP
... > PPTP is insecure and untrustworthy. ... Microsoft Windows 2000 and XP running either a PPTP Server or Client. ... This advisory does not claim to be complete or to be usable for any ...
(comp.security.firewalls)
RE: Printing from Win9x clients stops
... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
(microsoft.public.windows.server.sbs)