Microsoft Security Bulletin MS02-063

Technical description:

Windows 2000 and Windows XP natively support Point-to-Point Tunneling Protocol (PPTP), a Virtual Private Networking technology that is implemented as part of Remote Access Services (RAS). PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

A security vulnerability results in the Windows 2000 and Windows XP implementations because of an unchecked buffer in a section of code that processes the control data used to establish, maintain and tear down PPTP connections. By delivering specially malformed PPTP control data to an affected server, an attacker could corrupt kernel memory and cause the system to fail, disrupting any work in progress on the system.

The vulnerability could be exploited against any server that offers PPTP. If a workstation had been configured to operate as a RAS server offering PPTP services, it could likewise be attacked. Workstations acting as PPTP clients could only be attacked during active PPTP sessions. Normal operation on any attacked system could be restored by restarting the system.

Mitigating factors:

• As discussed in more detail in the FAQ, Microsoft has only successfully demonstrated denial of service attacks via this vulnerability. Because of how the overrun occurs, it does not appear that that there is any reliable means of using it to gain control over a system.
• Servers would only be at risk from the vulnerability if they had been specifically configured to offer PPTP services. PPTP does not run by default on any Windows system. Likewise, although it is possible to configure a workstation to offer PPTP services, none operate in this capacity by default.
• Exploiting the vulnerability against a PPTP client could be difficult. PPTP is typically used in scenarios in which the client IP address changes frequently (e.g., because the client system is mobile). Not only would an attacker need to learn the IP address, but he or she would also need to mount an attack while the client had an active PPTP session underway.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-1214

Tested Versions:

Microsoft tested Windows 98, Windows 98SE, Windows ME, Windows NT® 4.0, Windows 2000 and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited the vulnerability could potentially disrupt service on either clients or servers utilizing secure remote connections via the Point-to-Point Tunneling Protocol.
Exploiting the vulnerability against a client could be difficult, as it could only be exploited during an active remote networking session; in a typical usage scenario, the client would be a traveling system whose IP address would likely change frequently. Normal operation - for either client or server - could be restored by restarting the system.

What causes the vulnerability? 
The vulnerability results because the code that implements the Point-to-Point Tunneling Protocol in Windows 2000 and Windows XP contains an unchecked buffer in a section of code that processes PPTP control data.

What is Point-to-Point Tunneling Protocol? 
Point-to-Point Tunneling Protocol (PPTP) is an industry standard protocol (defined in RFC 2637) that enables users to create and use virtual private networks (VPNs). Through VPN technologies such as PPTP, users can create secure connections to a remote network, even though the data may transit insecure networks like the Internet. (A good description of the technical underpinnings of PPTP is available from MSDN).
Windows 2000 and Windows XP include native support for PPTP. In server versions, PPTP support is implemented as an option within the Routing and Remote Access Service (RAS). In workstation versions, PPTP support is built into the Remote Access Client. PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

What's PPTP control data? 
The data that constitutes a PPTP session can be categorized into two types - the data in the session, and the data about the session. Control data is the latter type of data. It's exchanged between the client and server to establish the session, make sure that it's still and active and healthy, and tear down the session when it's completed.

What's wrong with how the PPTP implementation handled control data? 
The code that processes control data in the Windows 2000 and Windows XP implementations contains an unchecked buffer. By sending control data that had been malformed in a particular way, it could be possible to overflow the buffer and overwrite memory in the system kernel.

What could an attacker do via this vulnerability? 
An attacker who successfully exploited this vulnerability could cause an affected system to fail. By targeting PPTP servers, the attacker could prevent users from being able to establish VPN sessions; by targeting PPTP clients, the attacker could cause them to fail with the loss of any work that was ongoing at the time. In either case, normal operation could be resumed by restarting the system.

Would it be possible to use this vulnerability to gain control over an affected system? 
Frequently, buffer overruns can be used not only to disrupt a system's operation, but also to modify it in order to perform a task of the attacker's choosing and thereby gain control over the system. However, in this case, despite an extensive research effort, Microsoft has never been able to demonstrate any reliable way to gain control over a system. Instead, we have only been able to demonstrate a capability to exploit the vulnerability to disrupt system operation.
The reason has to do with the particular type of memory that would be overrun. In most buffer overruns, exploiting the vulnerability has the effect of putting the attacker's data into either of two data structures, the stack or the heap. In such cases, the attacker can control to varying degrees where the data will reside and how it will be used. In this case, however, the data would overrun memory in the operating system kernel instead. Microsoft is unaware of any means of predicting where the data would spill, nor any way to use the data to modify system functionality.

Who could exploit the vulnerability? 
Any user who could deliver data to a Windows 2000 or Windows XP system on which PPTP is running could exploit the vulnerability.

What's the risk to Windows servers? 
A Windows 2000 server would only be at risk if the Routing and Remote Access (RRAS) service were running, and PPTP had been selected by the administrator as a supported protocol. In essence, this means that only servers that are specifically deployed to provide PPTP services would be at risk.
Windows NT 4.0 servers, even those providing PPTP services, are at no risk as the vulnerability does not affect the Windows NT 4.0 implementation of PPTP.

Would a firewall protect a server that offered PPTP services? 
No. Recall that the purpose of PPTP is to provide secure communications across insecure media like the Internet. As a result, in order for a PPTP server to perform its designated role, the PPTP port (port 1723) on the firewall would need to be open.

What's the risk to Windows workstations? 
There are two scenarios in which a Windows 2000 or Windows XP workstation could be at risk:

• If it had a PPTP session underway already. When a Windows client has an active outbound PPTP session, its PPTP service also listens for and will accept incoming control data on the PPTP port, and as a result the vulnerability could be exploited. It's worth noting, however, that the typical PPTP usage scenario could help mitigate these attacks. In contrast to servers, which usually occupy static, well-publicized IP addresses, workstations - especially traveling ones - tend to change their IP addresses frequently and therefore be more difficult to target.
• If it had been manually configured to operate as a RAS server. It is possible to manually configure a workstation to provide RAS services using PPTP and, if this had been done, the workstation would be at identical risk to a RAS server. It's worth noting that workstations are not frequently configured this way.

Workstations running any other version of Windows are at no risk from the vulnerability. Although a PPTP client is available for Windows 95, Windows 98, Windows 98SE and Windows ME, none of them include the vulnerability.

Would a firewall protect a PPTP client? 
Yes. An active PPTP client that was protected by a firewall (including Internet Connection Firewall in Windows XP) or by a router that performs Network Address Translation (as most broadband routers do) would be protected from unsolicited messages directed to it at port 1723.

Do customers running Windows NT 4.0, Windows 98, Windows 98SE or Windows ME need to take any action? 
No. The PPTP implementations in these versions do not contain the vulnerability.

What does the patch do? 
The patch addresses the vulnerability by instituting proper buffer handling in the PPTP service.

Download locations for this patch

• Microsoft Windows 2000:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=en

• Microsoft Windows XP:

  32-bit: http://www.microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

  64-bit: http://www.microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang=en