Microsoft Security Bulletin MS02-063
Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks
(Q329834)
Originally posted: October 30, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Windows®
2000 or Windows XP.
Impact of vulnerability: Denial of service.
Maximum Severity Rating: Critical.
Recommendation: Administrators offering PPTP services should install
the patch immediately; users who utilize remote access using PPTP
should consider installing the patch.
Affected Software:
* Microsoft Windows 2000
* Microsoft Windows XP
Technical details
Technical description:
Windows 2000 and Windows XP natively support Point-to-Point Tunneling
Protocol (PPTP), a Virtual Private Networking technology that is
implemented as part of Remote Access Services (RAS). PPTP support is
an optional component in Windows NT 4.0, Windows 98, Windows 98SE,
and Windows ME.
A security vulnerability results in the Windows 2000 and Windows XP
implementations because of an unchecked buffer in a section of code
that processes the control data used to establish, maintain and tear
down PPTP connections. By delivering specially malformed PPTP control
data to an affected server, an attacker could corrupt kernel memory
and cause the system to fail, disrupting any work in progress on the
system.
The vulnerability could be exploited against any server that offers
PPTP. If a workstation had been configured to operate as a RAS server
offering PPTP services, it could likewise be attacked. Workstations
acting as PPTP clients could only be attacked during active PPTP
sessions. Normal operation on any attacked system could be restored
by restarting the system.
Mitigating factors:
* As discussed in more detail in the FAQ, Microsoft has only
successfully demonstrated denial of service attacks via this
vulnerability. Because of how the overrun occurs, it does not appear
that that there is any reliable means of using it to gain control
over a system.
* Servers would only be at risk from the vulnerability if they had
been specifically configured to offer PPTP services. PPTP does not
run by default on any Windows system. Likewise, although it is
possible to configure a workstation to offer PPTP services, none
operate in this capacity by default.
* Exploiting the vulnerability against a PPTP client could be
difficult. PPTP is typically used in scenarios in which the client
IP address changes frequently (e.g., because the client system is
mobile). Not only would an attacker need to learn the IP address,
but he or she would also need to mount an attack while the client
had an active PPTP session underway.
Severity Rating:
Internet Servers Intranet Servers Client Systems
Windows XP None None Low
Windows 2000 Critical Low Low
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-1214
Tested Versions:
Microsoft tested Windows 98, Windows 98SE, Windows ME, Windows NT®
4.0, Windows 2000 and Windows XP to assess whether they are affected
by these vulnerabilities. Previous versions are no longer supported,
and may or may not be affected by these vulnerabilities.
Frequently asked questions
What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who
successfully exploited the vulnerability could potentially disrupt
service on either clients or servers utilizing secure remote
connections via the Point-to-Point Tunneling Protocol.
Exploiting the vulnerability against a client could be difficult, as
it could only be exploited during an active remote networking
session; in a typical usage scenario, the client would be a traveling
system whose IP address would likely change frequently. Normal
operation - for either client or server - could be restored by
restarting the system.
What causes the vulnerability?
The vulnerability results because the code that implements the
Point-to-Point Tunneling Protocol in Windows 2000 and Windows XP
contains an unchecked buffer in a section of code that processes PPTP
control data.
What is Point-to-Point Tunneling Protocol?
Point-to-Point Tunneling Protocol (PPTP) is an industry standard
protocol (defined in RFC 2637) that enables users to create and use
virtual private networks (VPNs). Through VPN technologies such as
PPTP, users can create secure connections to a remote network, even
though the data may transit insecure networks like the Internet. (A
good description of the technical underpinnings of PPTP is available
from MSDN).
Windows 2000 and Windows XP include native support for PPTP. In
server versions, PPTP support is implemented as an option within the
Routing and Remote Access Service (RAS). In workstation versions,
PPTP support is built into the Remote Access Client. PPTP support is
an optional component in Windows NT 4.0, Windows 98, Windows 98SE,
and Windows ME.
What's PPTP control data?
The data that constitutes a PPTP session can be categorized into two
types - the data in the session, and the data about the session.
Control data is the latter type of data. It's exchanged between the
client and server to establish the session, make sure that it's still
and active and healthy, and tear down the session when it's
completed.
What's wrong with how the PPTP implementation handled control data?
The code that processes control data in the Windows 2000 and Windows
XP implementations contains an unchecked buffer. By sending control
data that had been malformed in a particular way, it could be
possible to overflow the buffer and overwrite memory in the system
kernel.
What could an attacker do via this vulnerability?
An attacker who successfully exploited this vulnerability could cause
an affected system to fail. By targeting PPTP servers, the attacker
could prevent users from being able to establish VPN sessions; by
targeting PPTP clients, the attacker could cause them to fail with
the loss of any work that was ongoing at the time. In either case,
normal operation could be resumed by restarting the system.
Would it be possible to use this vulnerability to gain control over
an affected system?
Frequently, buffer overruns can be used not only to disrupt a
system's operation, but also to modify it in order to perform a task
of the attacker's choosing and thereby gain control over the system.
However, in this case, despite an extensive research effort,
Microsoft has never been able to demonstrate any reliable way to gain
control over a system. Instead, we have only been able to demonstrate
a capability to exploit the vulnerability to disrupt system
operation.
The reason has to do with the particular type of memory that would be
overrun. In most buffer overruns, exploiting the vulnerability has
the effect of putting the attacker's data into either of two data
structures, the stack or the heap. In such cases, the attacker can
control to varying degrees where the data will reside and how it will
be used. In this case, however, the data would overrun memory in the
operating system kernel instead. Microsoft is unaware of any means of
predicting where the data would spill, nor any way to use the data to
modify system functionality.
Who could exploit the vulnerability?
Any user who could deliver data to a Windows 2000 or Windows XP
system on which PPTP is running could exploit the vulnerability.
What's the risk to Windows servers?
A Windows 2000 server would only be at risk if the Routing and Remote
Access (RRAS) service were running, and PPTP had been selected by the
administrator as a supported protocol. In essence, this means that
only servers that are specifically deployed to provide PPTP services
would be at risk.
Windows NT 4.0 servers, even those providing PPTP services, are at no
risk as the vulnerability does not affect the Windows NT 4.0
implementation of PPTP.
Would a firewall protect a server that offered PPTP services?
No. Recall that the purpose of PPTP is to provide secure
communications across insecure media like the Internet. As a result,
in order for a PPTP server to perform its designated role, the PPTP
port (port 1723) on the firewall would need to be open.
What's the risk to Windows workstations?
There are two scenarios in which a Windows 2000 or Windows XP
workstation could be at risk:
* If it had a PPTP session underway already. When a Windows client has
an active outbound PPTP session, its PPTP service also listens for
and will accept incoming control data on the PPTP port, and as a
result the vulnerability could be exploited. It's worth noting,
however, that the typical PPTP usage scenario could help mitigate
these attacks. In contrast to servers, which usually occupy static,
well-publicized IP addresses, workstations - especially traveling
ones - tend to change their IP addresses frequently and therefore be
more difficult to target.
* If it had been manually configured to operate as a RAS server. It is
possible to manually configure a workstation to provide RAS services
using PPTP and, if this had been done, the workstation would be at
identical risk to a RAS server. It's worth noting that workstations
are not frequently configured this way.
Workstations running any other version of Windows are at no risk from
the vulnerability. Although a PPTP client is available for Windows
95, Windows 98, Windows 98SE and Windows ME, none of them include the
vulnerability.
Would a firewall protect a PPTP client?
Yes. An active PPTP client that was protected by a firewall
(including Internet Connection Firewall in Windows XP) or by a router
that performs Network Address Translation (as most broadband routers
do) would be protected from unsolicited messages directed to it at
port 1723.
Do customers running Windows NT 4.0, Windows 98, Windows 98SE or
Windows ME need to take any action?
No. The PPTP implementations in these versions do not contain the
vulnerability.
What does the patch do?
The patch addresses the vulnerability by instituting proper buffer
handling in the PPTP service.
Patch availability
Download locations for this patch
* Microsoft Windows 2000:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=43606
* Microsoft Windows XP:
32-bit:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=43635
64-bit:
http://www.microsoft.com/downloads/Release.asp?ReleaseID=43631
Additional information about this patch
Installation platforms:
* The Windows 2000 patch can be installed on systems running Windows
2000 Service Pack 2 or Service Pack 3.
* The patch for Windows XP can be installed on systems running Windows
XP Gold or Service Pack 1.
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack
4 and Windows XP Service Pack 2.
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
Windows 2000:
* To verify that the patch has been installed on the machine, confirm
that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows
2000\SP4\Q329834.
* To verify the individual files, use the date/time and version
information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows
2000\SP4\Q329834\Filelist.
Windows XP:
If installed on Windows XP Gold:
* To verify that the patch has been installed, confirm that the
following registry key has been created on the machine:
HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q329834.
* To verify the individual files, use the date/time and version
information provided in the following registry key:
HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q329834\Filelist.
If installed on Windows XP SP1:
* To verify that the patch has been installed, confirm that the
following registry key has been created on the machine:
HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q329834.
* To verify the individual files, use the date/time and version
information provided in the following registry key:
HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q329834\Filelist.
Caveats:
None
Localization:
The patches listed above in "Patch Availability" can be installed on
any language version.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
* Security patches are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
* Patches for consumer platforms are available from the WindowsUpdate
web site
Other information:
Support:
* Microsoft Knowledge Base article Q329834 discusses this issue and
will be available approximately 24 hours after the release of this
bulletin. Knowledge Base articles can be found on the Microsoft
Online Support web site.
* Technical support is available from Microsoft Product Support
Services. There is no charge for support calls associated with
security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so
the foregoing limitation may not apply.
Revisions:
* V1.0 (October 30, 2002): Bulletin Created.