Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Microsoft)  >   Windows PPTP Service Vendors:   Microsoft
Microsoft PPTP Service Buffer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1005296
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 26 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network

Version(s): Windows 2000, XP
Description:   A buffer overflow vulnerability was reported in Microsoft's point-to-point protocol (PPTP) service. A remote user can cause the system to crash and may be able to execute arbitrary code.

phion Information Technologies issued a security advisory warning of a pre-authentication buffer overflow affecting both the PPTP client and server implementation.

A remote user can send a specially crafted PPTP packet to overwrite kernel memory and crash the system. It is also possible to overwrite the EDI and EDX registers and, according to the report, potentially execute arbitrary shell code.

The vendor has reportedly been notified.

Impact:   A remote user can cause the system to crash. A remote user may be able to execute arbitrary code on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix) Microsoft PPTP Service Buffer Overflow May Let Remote Users Execute Arbitrary Code
The vendor has released a fix.

 Source Message Contents

Subject:  Microsoft PPTP Server and Client remote vulnerability

phion Security Advisory 26/09/2002

Microsoft PPTP Server and Client remote vulnerability


   The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
   remotely exploitable pre-authentication bufferoverflow.

Affected Systems

   Microsoft Windows 2000 and XP running either a PPTP Server or Client.


   With a specially crafted PPTP packet it is possible to overwrite kernel

   A DoS resulting in a lockup of the machine has been verified on
   Windows 2000 SP3 and Windows XP.

   A remote compromise should be possible deploying proper shellcode,
   as we were able to fill EDI and EDX with our data.

   Clients are vulnerable too, because the Service always listens on port
   1723 on any interface of the machine, this might be of special concern
   to DSL users which use PPTP to connect to their modem.


   As a temporary solution for the Client issue, one might firewall the PPTP
   port in the Internet Connection Firewall for Windows XP.

   We dont know of any solution for Windows 2000 and Windows XP PPTP servers.

   The vendor has been informed.


   The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
   on behalf of phion Information Technologies.

Contact Information

   phion Information Technologies can be reached via: /

   Stephan Hoffmann can be reached via:

   Thomas Unterleitner can be reached via:


   [1] phion Information Technologies


   phion Information Technologies will not provide an exploit for this issue.


   This advisory does not claim to be complete or to be usable for any

   This advisory is free for open distribution in unmodified form.

   Articles or Publications that are based on information from this advisory
   have to include link [1].


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC