Possible PPTP Flaw Could Leave VPNs Open

A possible flaw in the point-to-point tunneling protocol (PPTP) in both
Windows 2000 and Windows XP could leave corporate intranets vulnerable to
attack, German security firm Phion Information Technologies warned Thursday.

Phion said it had contacted Microsoft about the vulnerability before issuing
its security advisory Thursday morning. Microsoft has not confirmed the
flaw.

PPTP is used to secure virtual private networks (VPNs) by allowing two Internet hosts to communicate over a secure channel utilizing authentication and encryption. Phion claimed that
the PPTP Service shipping with Windows 2000 and Windows XP contains a
remotely exploitable pre-authentication buffer overflow, which could allow a
malicious hacker to overwrite kernel memory with a specially crafted PPTP
packet.

Phion said it has verified a denial-of-service lockup on both Windows 2000
SP3 and Windows XP, and noted that a remote compromise should be possible
through the use of proper shellcode. Additionally, it said clients are
vulnerable, because the service constantly listens to port 1723 on any
interface of the machine, making the vulnerability of special concern to DSL
users utilizing PPTP to connect to their modems.

On the client side, Phion suggested firewalling the PPTP port in the
Internet Connection Firewall for Windows XP. It had no suggestions for
server-side solutions.

News Around the Web