Microsoft Security Bulletin MS01-009

Technical description:

The PPTP service in Windows NT 4.0 has a flaw in a part of the code that handles a particular type of data packet, which results in a leak of kernel memory. If a sufficient number of packets containing a specific malformation were received by an affected server, kernel memory would eventually become exhausted. The likely outcome would be that the server would either hang or fail altogether. In either case, the machine would need to be rebooted to restore normal operation, and any PPTP sessions underway at the time would be lost. It would not be necessary for the attacker to establish a valid PPTP session in order to exploit the vulnerability.

Mitigating factors:

• The vulnerability does not threaten the security of the data within PPTP sessions in any way - it is strictly a denial of service vulnerability.
• The PPTP service does not run by default
• Windows 2000 machines, even ones running PPTP, are not affected by this vulnerability.

Vulnerability identifier: CAN-2001-0017

What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a huge number of specially malformed data packets to an affected server, an attacker could prevent the server from providing secure network sessions to users. The service at issue here is intended to be exposed to the Internet, so firewalling would not be a feasible defense against the vulnerability.
The vulnerability would not enable the attacker to compromise any secure connections - it would only enable him to prevent them from occurring. Likewise, the vulnerability would not give the attacker any privileges on the machine. Only Windows NT 4.0 servers running the PPTP service are affected by the vulnerability.

What causes the vulnerability?
The implementation of the PPTP protocol in Windows NT 4.0 contains a memory leak in the part of the code that processes certain types of data packets. If a series of PPTP packets, each containing a particular malformation, were sent to an affected server, the server's resources could be depleted to the point where the server would fail.

What's PPTP?
PPTP (Point-to-point Tunneling Protocol) is a protocol that enables users to establish secure remote connections over insecure communications channels. PPTP is most commonly used to support traveling employees who need to connect to their company's network while they're on the road.
Suppose Jane is a traveling employee, and needs to access resources on her company's network. Using PPTP, she would access the Internet via a local ISP, then connect to her company's PPTP server. The client and server exchange session information, then establish a secure connection. Once that's done, Jane would do whatever work she needed to do, within the secure session.

What's wrong with PPTP?
As the PPTP service establishes sessions, exchanges data, and ends sessions, it periodically needs resources from the operating system. When it's finished using those resources, it should, by design, return them to the operating system so they can be used by other processes. However, a flaw in the PPTP service prevents it, under certain conditions, from returning all the resources it uses.
Specifically, if the service receives a particular type of invalid PPTP packet, it will request some memory but won't return it to the operating system when it's done. Each time the service receives such a packet, it depletes the available memory on the system. If enough packets of this type were received and processed, it could deplete the memory to the point where the machine might "hang", and simply become unresponsive, or might fail altogether.

What could an attacker do via this vulnerability?
If an attacker generated a large number of the packets at issue here and sent them to an affected server, he could cause the server to stop providing service. This would cause any existing PPTP sessions to be lost, and would prevent new connections until the machine was restored to normal service.
The vulnerability would not enable the attacker to compromise the security of any PPTP sessions. Likewise, it wouldn't enable him to compromise any data on the server or the client, nor would it give him any form of administrative control over either machine.

If a machine were attacked via this vulnerability, what would need to be done to restore it to normal service?
The machine would need to be rebooted.

How difficult would it be to mount an attack via this vulnerability?
Although exploiting the vulnerability would not be technically difficult, there are some operational challenges for the attacker. It's not enough to simply send one malformed packet to an affected machine, or even several hundred. Each packet depletes memory on the system by only a small amount, so the attacker would need to send a very large number of packets and stay "on the air" for at least several minutes. During this time, it could be possible for the operator to take defensive measures like blocking packets from the attacker.

Could this vulnerability be exploited by an attacker on the Internet?
Yes. The flaw lies within the PPTP service which, to be useful, would need to be exposed to the Internet.

Would the attacker need to establish a PPTP session in order to exploit this vulnerability?
No. All he would need to do is direct a stream of specially malformed packets at an affected server.

Could the memory leak occur during normal use?
No. Normal PPTP sessions are extremely unlikely to generate packets with the particular malformation that's needed to cause the memory leak. In any event, it's not enough to simply generate one such packet - a stead stream of them would need to be generated and directed toward the server.

Are all Windows NT 4.0 servers at risk from this vulnerability?
No. Only servers running the PPTP service are at risk. The service does not run by default.

Are Windows NT 4.0 terminal servers at risk from this vulnerability?
Although it's possible to run the PPTP service on a terminal server, it would be extremely bad practice to do this. Terminal servers should never be used as network edge machines.

Are Windows NT 4.0 workstations at risk from this vulnerability?
PPTP can be installed on a Windows NT 4.0 workstations but, for reasons similar to those discussed regarding terminal servers, it would be very bad practice to allow a workstation to serve as a network edge machine.

Does the vulnerability affect Windows 2000 PPTP servers?
No. The Windows 2000 PPTP service is not affected by this vulnerability.

Who should apply the patch?
Microsoft recommends that customers using Windows NT 4.0 to provide PPTP services apply the patch.

What does the patch do?
The patch causes the PPTP service to correctly return memory to the operating system when it's done using it. This prevents the resource leak that resulted in the system failure. However, it's important to understand that flooding attacks might still be possible even after applying the patch.
In a typical attack via this vulnerability, the attacker would direct a huge number of malformed packets at the server. After the patch is applied, the server will correctly handle the packets by examining them and rejecting them. However, it does take system resources to do this, and as a result, if such an attack were mounted against a patched system, it's possible that CPU availability could sag while the packets were incoming. This is strictly a result of the traffic volume, though, and CPU availability would resume as soon as the packet stream stopped.

Download locations for this patch

• Windows NT 4.0 Workstation, Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=7AC22637-C0E6-424E-A399-183B47A2A584&displaylang=en

• Windows NT 4.0 Server, Terminal Server Edition:

  Included in the Windows NT Server 4.0, Terminal Server Edition Security Rollup Package.