Microsoft PPTP Server and Client remote vulnerability

From: shat_private
Date: Thu Sep 26 2002 - 02:43:46 PDT

Next message: David Endler: "iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv"

Previous message: redhat-announce-list-adminat_private: "[Full-Disclosure] [RHSA-2002:060-17] Updated Zope packages are available"
Next in thread: Dave Aitel: "[Full-Disclosure] Re: Microsoft PPTP Server and Client remote vulnerability"
Reply: Dave Aitel: "[Full-Disclosure] Re: Microsoft PPTP Server and Client remote vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

phion Security Advisory 26/09/2002

Microsoft PPTP Server and Client remote vulnerability


Summary
-----------------------------

   The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
   remotely exploitable pre-authentication bufferoverflow.


Affected Systems
-----------------------------

   Microsoft Windows 2000 and XP running either a PPTP Server or Client.


Impact
-----------------------------

   With a specially crafted PPTP packet it is possible to overwrite kernel
   memory.

   A DoS resulting in a lockup of the machine has been verified on
   Windows 2000 SP3 and Windows XP.

   A remote compromise should be possible deploying proper shellcode,
   as we were able to fill EDI and EDX with our data.

   Clients are vulnerable too, because the Service always listens on port
   1723 on any interface of the machine, this might be of special concern
   to DSL users which use PPTP to connect to their modem.


Solution
-----------------------------

   As a temporary solution for the Client issue, one might firewall the PPTP
   port in the Internet Connection Firewall for Windows XP.

   We dont know of any solution for Windows 2000 and Windows XP PPTP servers.

   The vendor has been informed.


Acknowledgements
-----------------------------

   The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
   on behalf of phion Information Technologies.


Contact Information
-----------------------------

   phion Information Technologies can be reached via:
      officeat_private / http://www.phion.com

   Stephan Hoffmann can be reached via:
      shat_private

   Thomas Unterleitner can be reached via:
      t.unterleitnerat_private

References
-----------------------------

   [1] phion Information Technologies
       http://www.phion.com/

Exploit
-----------------------------

   phion Information Technologies will not provide an exploit for this issue.


Disclaimer
-----------------------------

   This advisory does not claim to be complete or to be usable for any
   purpose.

   This advisory is free for open distribution in unmodified form.

   Articles or Publications that are based on information from this advisory
   have to include link [1].

Next message: David Endler: "iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv"
Previous message: redhat-announce-list-adminat_private: "[Full-Disclosure] [RHSA-2002:060-17] Updated Zope packages are available"
Next in thread: Dave Aitel: "[Full-Disclosure] Re: Microsoft PPTP Server and Client remote vulnerability"
Reply: Dave Aitel: "[Full-Disclosure] Re: Microsoft PPTP Server and Client remote vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 08:17:27 PDT