Article
03/01/2023

Security Bulletin

Microsoft Security Bulletin MS02-063 - Critical

Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks (Q329834)

Published: October 30, 2002

Version: 1.0

Originally posted: October 30, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Windows® 2000 or Windows XP.

Impact of vulnerability: Denial of service.

Maximum Severity Rating: Critical.

Recommendation: Administrators offering PPTP services should install the patch immediately; users who utilize remote access using PPTP should consider installing the patch.

Affected Software:

Microsoft Windows 2000
Microsoft Windows XP

General Information

Technical details

Technical description:

Windows 2000 and Windows XP natively support Point-to-Point Tunneling Protocol (PPTP), a Virtual Private Networking technology that is implemented as part of Remote Access Services (RAS). PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

A security vulnerability results in the Windows 2000 and Windows XP implementations because of an unchecked buffer in a section of code that processes the control data used to establish, maintain and tear down PPTP connections. By delivering specially malformed PPTP control data to an affected server, an attacker could corrupt kernel memory and cause the system to fail, disrupting any work in progress on the system.

The vulnerability could be exploited against any server that offers PPTP. If a workstation had been configured to operate as a RAS server offering PPTP services, it could likewise be attacked. Workstations acting as PPTP clients could only be attacked during active PPTP sessions. Normal operation on any attacked system could be restored by restarting the system.

Mitigating factors:

As discussed in more detail in the FAQ, Microsoft has only successfully demonstrated denial of service attacks via this vulnerability. Because of how the overrun occurs, it does not appear that that there is any reliable means of using it to gain control over a system.
Servers would only be at risk from the vulnerability if they had been specifically configured to offer PPTP services. PPTP does not run by default on any Windows system. Likewise, although it is possible to configure a workstation to offer PPTP services, none operate in this capacity by default.
Exploiting the vulnerability against a PPTP client could be difficult. PPTP is typically used in scenarios in which the client IP address changes frequently (e.g., because the client system is mobile). Not only would an attacker need to learn the IP address, but he or she would also need to mount an attack while the client had an active PPTP session underway.

Severity Rating:

	Internet Servers	Intranet Servers	Client Systems
Windows XP	None	None	Low
Windows 2000	Critical	Low	Low

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-1214

Tested Versions:

Microsoft tested Windows 98, Windows 98SE, Windows ME, Windows NT® 4.0, Windows 2000 and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited the vulnerability could potentially disrupt service on either clients or servers utilizing secure remote connections via the Point-to-Point Tunneling Protocol. Exploiting the vulnerability against a client could be difficult, as it could only be exploited during an active remote networking session; in a typical usage scenario, the client would be a traveling system whose IP address would likely change frequently. Normal operation - for either client or server - could be restored by restarting the system.

What causes the vulnerability?
The vulnerability results because the code that implements the Point-to-Point Tunneling Protocol in Windows 2000 and Windows XP contains an unchecked buffer in a section of code that processes PPTP control data.

What is Point-to-Point Tunneling Protocol?
Point-to-Point Tunneling Protocol (PPTP) is an industry standard protocol (defined in RFC 2637) that enables users to create and use virtual private networks (VPNs). Through VPN technologies such as PPTP, users can create secure connections to a remote network, even though the data may transit insecure networks like the Internet. (A good description of the technical underpinnings of PPTP is available from MSDN). Windows 2000 and Windows XP include native support for PPTP. In server versions, PPTP support is implemented as an option within the Routing and Remote Access Service (RAS). In workstation versions, PPTP support is built into the Remote Access Client. PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

What's PPTP control data?
The data that constitutes a PPTP session can be categorized into two types - the data in the session, and the data about the session. Control data is the latter type of data. It's exchanged between the client and server to establish the session, make sure that it's still and active and healthy, and tear down the session when it's completed.

What's wrong with how the PPTP implementation handled control data?
The code that processes control data in the Windows 2000 and Windows XP implementations contains an unchecked buffer. By sending control data that had been malformed in a particular way, it could be possible to overflow the buffer and overwrite memory in the system kernel.

What could an attacker do via this vulnerability?
An attacker who successfully exploited this vulnerability could cause an affected system to fail. By targeting PPTP servers, the attacker could prevent users from being able to establish VPN sessions; by targeting PPTP clients, the attacker could cause them to fail with the loss of any work that was ongoing at the time. In either case, normal operation could be resumed by restarting the system.

Would it be possible to use this vulnerability to gain control over an affected system?
Frequently, buffer overruns can be used not only to disrupt a system's operation, but also to modify it in order to perform a task of the attacker's choosing and thereby gain control over the system. However, in this case, despite an extensive research effort, Microsoft has never been able to demonstrate any reliable way to gain control over a system. Instead, we have only been able to demonstrate a capability to exploit the vulnerability to disrupt system operation. The reason has to do with the particular type of memory that would be overrun. In most buffer overruns, exploiting the vulnerability has the effect of putting the attacker's data into either of two data structures, the stack or the heap. In such cases, the attacker can control to varying degrees where the data will reside and how it will be used. In this case, however, the data would overrun memory in the operating system kernel instead. Microsoft is unaware of any means of predicting where the data would spill, nor any way to use the data to modify system functionality.

Who could exploit the vulnerability?
Any user who could deliver data to a Windows 2000 or Windows XP system on which PPTP is running could exploit the vulnerability.

What's the risk to Windows servers?
A Windows 2000 server would only be at risk if the Routing and Remote Access (RRAS) service were running, and PPTP had been selected by the administrator as a supported protocol. In essence, this means that only servers that are specifically deployed to provide PPTP services would be at risk. Windows NT 4.0 servers, even those providing PPTP services, are at no risk as the vulnerability does not affect the Windows NT 4.0 implementation of PPTP.

Would a firewall protect a server that offered PPTP services?
No. Recall that the purpose of PPTP is to provide secure communications across insecure media like the Internet. As a result, in order for a PPTP server to perform its designated role, the PPTP port (port 1723) on the firewall would need to be open.

What's the risk to Windows workstations?
There are two scenarios in which a Windows 2000 or Windows XP workstation could be at risk:

If it had a PPTP session underway already. When a Windows client has an active outbound PPTP session, its PPTP service also listens for and will accept incoming control data on the PPTP port, and as a result the vulnerability could be exploited. It's worth noting, however, that the typical PPTP usage scenario could help mitigate these attacks. In contrast to servers, which usually occupy static, well-publicized IP addresses, workstations - especially traveling ones - tend to change their IP addresses frequently and therefore be more difficult to target.
If it had been manually configured to operate as a RAS server. It is possible to manually configure a workstation to provide RAS services using PPTP and, if this had been done, the workstation would be at identical risk to a RAS server. It's worth noting that workstations are not frequently configured this way.

Workstations running any other version of Windows are at no risk from the vulnerability. Although a PPTP client is available for Windows 95, Windows 98, Windows 98SE and Windows ME, none of them include the vulnerability.

Would a firewall protect a PPTP client?
Yes. An active PPTP client that was protected by a firewall (including Internet Connection Firewall in Windows XP) or by a router that performs Network Address Translation (as most broadband routers do) would be protected from unsolicited messages directed to it at port 1723.

Do customers running Windows NT 4.0, Windows 98, Windows 98SE or Windows ME need to take any action?
No. The PPTP implementations in these versions do not contain the vulnerability.

What does the patch do?
The patch addresses the vulnerability by instituting proper buffer handling in the PPTP service.

Patch availability

Download locations for this patch

Microsoft Windows 2000:

https://www.microsoft.com/download/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang;=en
Microsoft Windows XP:

32-bit: https://www.microsoft.com/download/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang;=en

64-bit: https://www.microsoft.com/download/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang;=en

Additional information about this patch

Installation platforms:

The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.
The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 2.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

Windows 2000:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q329834.
To verify the individual files, use the date/time and version information provided in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q329834\Filelist.

Windows XP:

If installed on Windows XP Gold:

To verify that the patch has been installed, confirm that the following registry key has been created on the machine:

HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q329834.
To verify the individual files, use the date/time and version information provided in the following registry key:

HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q329834\Filelist.

If installed on Windows XP SP1:

To verify that the patch has been installed, confirm that the following registry key has been created on the machine:

HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q329834.
To verify the individual files, use the date/time and version information provided in the following registry key:

HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q329834\Filelist.

Caveats:

None

Localization:

The patches listed above in "Patch Availability" can be installed on any language version.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Support:

Microsoft Knowledge Base article Q329834 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (October 30, 2002): Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00