Possible DOS in WinNT RAS (PPTP)

Simon Helson (simon@CONCEPTS.CO.NZ)
Tue, 27 Apr 1999 09:29:06 -0700 

Please excuse if this has been posted before, I did a quick search of the
archives and found nothing
This hasn't been sent to MS, as I don't know an email address to send it
to, Aleph, if you find it worthy of sending, please forward a copy to the
MS people for their attention. Cheers.

I was playing around with PPTP last night, and discovered that, with "very"
minimal effort, I could cause my friends NT Server (version 4, service pack
4) to reboot instantly, without shutting down. All I did was telnet to the
port (1723) on the NT box, and then send the following data.

hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhh (that's 256 'h's for those who don't want to
count :-)

and hit return. nothing. BUT, then I hit ^D and all hell broke loose. The
NT server dropped like a stone, full hardware reboot.

I tested this multiple times and always got the same response.

The NT Server was version 4, with Service pack 4 applied.

Cheers

Simon

------------------------------------------------------------------------------

Date: Tue, 27 Apr 1999 20:55:50 -0700
From: Simon Helson <simon@CONCEPTS.CO.NZ>
To: BUGTRAQ@netspace.org
Subject: RE Possible DOS in WinNT RAS (PPTP)

Hello again.

please excuse the lack of detail in my first posting. I was trying to
recollect the events of the past evening.

Unfortunately I don't have unlimited access to a NT server to play with.
However, I have tried this again (on the same server) this time over the
internet as opposed to a LAN. (trying to remove the NIC from the equation.)

Firstly, the NT setup:
NT Server Version 4, with Service Pack 4.0 applied.
(outside US version - only 40 bit)
PPTP added as a network device
Number of VPNs available - 2
then RAS service started.

The attack box setup:
RedHat Linux 5.2 running kernel 2.2.1
modem connection to the net

The procedure I followed:

[root@blobby /root]# telnet <removed for privacy> 1723
Trying <removed for privacy>...
Connected to <removed for privacy>.
Escape character is '^]'
hhhhhhhhhhhhhhh<type 256 times>
^d (not shown in output)
^]
telnet> close
Connection closed.

The instant I hit ^d his server rebooted. AFAIK there is nothing special in
the setup of the NT server.

I hope this clears up the picture.

Cheers

Simon

------------------------------------------------------------------------------

Date: Tue, 27 Apr 1999 10:55:52 -0700
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Possible DOS in WinNT RAS (PPTP)

Summary of this thread.

Didn't work:

NT 4.0 SP4, RRAS - Chris Alliey <calliey@erols.com>
NT 4.0 Server SP3, 128-bit, no RAS - Russ <Russ.Cooper@rc.on.ca>
NT 4.0 Server SP3, PPTP3-fix, no RAS 128-bit - Russ <Russ.Cooper@rc.on.ca>
NT 4.0 Server SP4, 128-bit, no RAS - Russ <Russ.Cooper@rc.on.ca>
NT 4.0 Server SP4 - Lewman, Andrew <ALewman@Lifespan.org>
NT 4.0 Server Enterprise, SP4 - Lewman, Andrew <ALewman@Lifespan.org>

Yes:

NT 4.0 SP4, Option Pack - Huang Min <hmin@dns.cqpn.gov.cn>
NT 4.0 Server, SP4, 40-bit, RAS - Simon Helson <simon@concepts.co.nz>


Hardware or device driver error, or maybe an issue with RAS but not RRAS?

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

------------------------------------------------------------------------------

Date: Wed, 28 Apr 1999 12:46:02 -0700
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Possible DOS in WinNT RAS (PPTP)

Some more feedback from folks. It seems that there is indeed an issue
here but reproducing it is difficult.

Please if you are going to send a report on this issue please make sure
you include Service Pack level, whether you are using RAS or RRAS,
whether you are using 40-bit or 128-bit, whether the machine froze, BSOD,
or rebooted, and what network card you are using.

WORKED:

Paul M. Hirsch <pauldoom@webcreate.net>:

* NT 4.0, SP3, RAS, PPTP
* Proliant PPro 200
* Netelligent 10/100 ethernet
* Compaq Fibre array

Martin Rex <martin.rex@sap-ag.de>:

* NT 4.0, SP3, 40-bit, PPTP, RAS
* BSOD:  STOP 0x0000000A in RASPPTPE.sys

Ronny Cook <ronny@tmx.com.au>:

* NT 4.0, SP4, RAS, PPTP
* RAS & PPTP installed after SP4
* The problem disappeared when SP4 was reinstalled as per
  Microsoft's instructions.

Emmanuel Tychon <etychon@cisco.com>:

* NT 4.0, SP3
* Machine freezes (dead mouse)

Greg <gmo@sirius.com>:

* NT 4.0


Didn't work:

"Chad D. Lingmann" <chadl@PROVO.NETSchools.net>:

* RRAS

>From Andrew Lewman <ALewman@Lifespan.org>:

RedHat 5.2 with all patches against:

NT Server 1  has RRAS, SP4, NT Enterprise, Option Pack 4, PPTP w/96 VPNs (23
active at the time), Compaq Netelligent 10/100 running at 100 Mbits Full
Duplex, with drivers from latest SSD

NT Server 2 has RAS, SP4, NT Enterprise, PPTP w/ 96 VPNs (45 active at the
time), 3Com 3C905b 10/100 running at 100 Mbits full duplex with latest
standard NT4 SP4 driver installed.

NT Server 3 has RRAS, SP4, NT Server, Option Pack 4, PPTP w/20 VPNs (none
active), Compaq Netflex-3 10/100 running at 100 Mbits full duplex with
drivers from latest SSD.

I tried 256 through 2,560 "h"'s in intervals of 100 h's, Ctrl-D for
each interval of h's.  Nothing.  Very temporary spike in process usage for
the processes associated with RAS, went away instantly.

Errata:

Russ actually said he was using RAS, not RRAS. Mea culpa.


--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01