Possible PPTP Flaw Could Leave VPNs Open | Internet News

Possible PPTP Flaw Could Leave VPNs Open

Written By
Thor Olavsrud
Thor Olavsrud
Sep 27, 2002
1 minute read

A possible flaw in the point-to-point tunneling protocol (PPTP) in both
Windows 2000 and Windows XP could leave corporate intranets vulnerable to
attack, German security firm Phion Information Technologies warned Thursday.

Phion said it had contacted Microsoft about the vulnerability before issuing
its security advisory Thursday morning. Microsoft has not confirmed the
flaw.

PPTP is used to secure virtual private networks (VPNs) by allowing two Internet hosts to communicate over a secure channel utilizing authentication and encryption. Phion claimed that
the PPTP Service shipping with Windows 2000 and Windows XP contains a
remotely exploitable pre-authentication buffer overflow, which could allow a
malicious hacker to overwrite kernel memory with a specially crafted PPTP
packet.

Phion said it has verified a denial-of-service lockup on both Windows 2000
SP3 and Windows XP, and noted that a remote compromise should be possible
through the use of proper shellcode. Additionally, it said clients are
vulnerable, because the service constantly listens to port 1723 on any
interface of the machine, making the vulnerability of special concern to DSL
users utilizing PPTP to connect to their modems.

On the client side, Phion suggested firewalling the PPTP port in the
Internet Connection Firewall for Windows XP. It had no suggestions for
server-side solutions.

Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.