Possible DOS in WinNT RAS (PPTP) Simon Helson (simon@CONCEPTS.CO.NZ) Tue, 27 Apr 1999 09:29:06 -0700 Please excuse if this has been posted before, I did a quick search of the archives and found nothing This hasn't been sent to MS, as I don't know an email address to send it to, Aleph, if you find it worthy of sending, please forward a copy to the MS people for their attention. Cheers. I was playing around with PPTP last night, and discovered that, with "very" minimal effort, I could cause my friends NT Server (version 4, service pack 4) to reboot instantly, without shutting down. All I did was telnet to the port (1723) on the NT box, and then send the following data. hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhh (that's 256 'h's for those who don't want to count :-) and hit return. nothing. BUT, then I hit ^D and all hell broke loose. The NT server dropped like a stone, full hardware reboot. I tested this multiple times and always got the same response. The NT Server was version 4, with Service pack 4 applied. Cheers Simon ------------------------------------------------------------------------------ Date: Tue, 27 Apr 1999 20:55:50 -0700 From: Simon Helson <simon@CONCEPTS.CO.NZ> To: BUGTRAQ@netspace.org Subject: RE Possible DOS in WinNT RAS (PPTP) Hello again. please excuse the lack of detail in my first posting. I was trying to recollect the events of the past evening. Unfortunately I don't have unlimited access to a NT server to play with. However, I have tried this again (on the same server) this time over the internet as opposed to a LAN. (trying to remove the NIC from the equation.) Firstly, the NT setup: NT Server Version 4, with Service Pack 4.0 applied. (outside US version - only 40 bit) PPTP added as a network device Number of VPNs available - 2 then RAS service started. The attack box setup: RedHat Linux 5.2 running kernel 2.2.1 modem connection to the net The procedure I followed: [root@blobby /root]# telnet <removed for privacy> 1723 Trying <removed for privacy>... Connected to <removed for privacy>. Escape character is '^]' hhhhhhhhhhhhhhh<type 256 times> ^d (not shown in output) ^] telnet> close Connection closed. The instant I hit ^d his server rebooted. AFAIK there is nothing special in the setup of the NT server. I hope this clears up the picture. Cheers Simon ------------------------------------------------------------------------------ Date: Tue, 27 Apr 1999 10:55:52 -0700 From: Aleph One <aleph1@UNDERGROUND.ORG> To: BUGTRAQ@netspace.org Subject: Re: Possible DOS in WinNT RAS (PPTP) Summary of this thread. Didn't work: NT 4.0 SP4, RRAS - Chris Alliey <calliey@erols.com> NT 4.0 Server SP3, 128-bit, no RAS - Russ <Russ.Cooper@rc.on.ca> NT 4.0 Server SP3, PPTP3-fix, no RAS 128-bit - Russ <Russ.Cooper@rc.on.ca> NT 4.0 Server SP4, 128-bit, no RAS - Russ <Russ.Cooper@rc.on.ca> NT 4.0 Server SP4 - Lewman, Andrew <ALewman@Lifespan.org> NT 4.0 Server Enterprise, SP4 - Lewman, Andrew <ALewman@Lifespan.org> Yes: NT 4.0 SP4, Option Pack - Huang Min <hmin@dns.cqpn.gov.cn> NT 4.0 Server, SP4, 40-bit, RAS - Simon Helson <simon@concepts.co.nz> Hardware or device driver error, or maybe an issue with RAS but not RRAS? -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ------------------------------------------------------------------------------ Date: Wed, 28 Apr 1999 12:46:02 -0700 From: Aleph One <aleph1@UNDERGROUND.ORG> To: BUGTRAQ@netspace.org Subject: Re: Possible DOS in WinNT RAS (PPTP) Some more feedback from folks. It seems that there is indeed an issue here but reproducing it is difficult. Please if you are going to send a report on this issue please make sure you include Service Pack level, whether you are using RAS or RRAS, whether you are using 40-bit or 128-bit, whether the machine froze, BSOD, or rebooted, and what network card you are using. WORKED: Paul M. Hirsch <pauldoom@webcreate.net>: * NT 4.0, SP3, RAS, PPTP * Proliant PPro 200 * Netelligent 10/100 ethernet * Compaq Fibre array Martin Rex <martin.rex@sap-ag.de>: * NT 4.0, SP3, 40-bit, PPTP, RAS * BSOD: STOP 0x0000000A in RASPPTPE.sys Ronny Cook <ronny@tmx.com.au>: * NT 4.0, SP4, RAS, PPTP * RAS & PPTP installed after SP4 * The problem disappeared when SP4 was reinstalled as per Microsoft's instructions. Emmanuel Tychon <etychon@cisco.com>: * NT 4.0, SP3 * Machine freezes (dead mouse) Greg <gmo@sirius.com>: * NT 4.0 Didn't work: "Chad D. Lingmann" <chadl@PROVO.NETSchools.net>: * RRAS >From Andrew Lewman <ALewman@Lifespan.org>: RedHat 5.2 with all patches against: NT Server 1 has RRAS, SP4, NT Enterprise, Option Pack 4, PPTP w/96 VPNs (23 active at the time), Compaq Netelligent 10/100 running at 100 Mbits Full Duplex, with drivers from latest SSD NT Server 2 has RAS, SP4, NT Enterprise, PPTP w/ 96 VPNs (45 active at the time), 3Com 3C905b 10/100 running at 100 Mbits full duplex with latest standard NT4 SP4 driver installed. NT Server 3 has RRAS, SP4, NT Server, Option Pack 4, PPTP w/20 VPNs (none active), Compaq Netflex-3 10/100 running at 100 Mbits full duplex with drivers from latest SSD. I tried 256 through 2,560 "h"'s in intervals of 100 h's, Ctrl-D for each interval of h's. Nothing. Very temporary spike in process usage for the processes associated with RAS, went away instantly. Errata: Russ actually said he was using RAS, not RRAS. Mea culpa. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01