Microsoft Security Bulletin MS01-009 - Critical

Malformed PPTP Packet Stream can Cause Kernel Exhaustion

Published: February 13, 2001 | Updated: June 23, 2003

Version: 1.5

Originally posted: February 13, 2001
Updated: June 23, 2003

Summary

Who should read this bulletin:
System administrators who provide PPTP services using Microsoft® Windows NT® 4.0.

Impact of vulnerability:
Denial of service

Recommendation:
Apply the patch to all PPTP servers.

Affected Software:

  • Microsoft Windows NT 4.0 Workstation

  • Microsoft Windows NT 4.0 Server

  • Microsoft Windows NT 4.0 Server, Enterprise Edition

  • Microsoft Windows NT 4.0 Server, Terminal Server Edition

    Note: The above products are only affected if PPTP services are installed and running on the machine.

General Information

Technical details

Technical description:

The PPTP service in Windows NT 4.0 has a flaw in a part of the code that handles a particular type of data packet, which results in a leak of kernel memory. If a sufficient number of packets containing a specific malformation were received by an affected server, kernel memory would eventually become exhausted. The likely outcome would be that the server would either hang or fail altogether. In either case, the machine would need to be rebooted to restore normal operation, and any PPTP sessions underway at the time would be lost. It would not be necessary for the attacker to establish a valid PPTP session in order to exploit the vulnerability.

Mitigating factors:

  • The vulnerability does not threaten the security of the data within PPTP sessions in any way - it is strictly a denial of service vulnerability.
  • The PPTP service does not run by default
  • Windows 2000 machines, even ones running PPTP, are not affected by this vulnerability.

Vulnerability identifier: CAN-2001-0017

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a huge number of specially malformed data packets to an affected server, an attacker could prevent the server from providing secure network sessions to users. The service at issue here is intended to be exposed to the Internet, so firewalling would not be a feasible defense against the vulnerability. The vulnerability would not enable the attacker to compromise any secure connections - it would only enable him to prevent them from occurring. Likewise, the vulnerability would not give the attacker any privileges on the machine. Only Windows NT 4.0 servers running the PPTP service are affected by the vulnerability.

What causes the vulnerability?
The implementation of the PPTP protocol in Windows NT 4.0 contains a memory leak in the part of the code that processes certain types of data packets. If a series of PPTP packets, each containing a particular malformation, were sent to an affected server, the server's resources could be depleted to the point where the server would fail.

What's PPTP?
PPTP (Point-to-point Tunneling Protocol) is a protocol that enables users to establish secure remote connections over insecure communications channels. PPTP is most commonly used to support traveling employees who need to connect to their company's network while they're on the road. Suppose Jane is a traveling employee, and needs to access resources on her company's network. Using PPTP, she would access the Internet via a local ISP, then connect to her company's PPTP server. The client and server exchange session information, then establish a secure connection. Once that's done, Jane would do whatever work she needed to do, within the secure session.

What's wrong with PPTP?
As the PPTP service establishes sessions, exchanges data, and ends sessions, it periodically needs resources from the operating system. When it's finished using those resources, it should, by design, return them to the operating system so they can be used by other processes. However, a flaw in the PPTP service prevents it, under certain conditions, from returning all the resources it uses. Specifically, if the service receives a particular type of invalid PPTP packet, it will request some memory but won't return it to the operating system when it's done. Each time the service receives such a packet, it depletes the available memory on the system. If enough packets of this type were received and processed, it could deplete the memory to the point where the machine might "hang", and simply become unresponsive, or might fail altogether.

What could an attacker do via this vulnerability?
If an attacker generated a large number of the packets at issue here and sent them to an affected server, he could cause the server to stop providing service. This would cause any existing PPTP sessions to be lost, and would prevent new connections until the machine was restored to normal service. The vulnerability would not enable the attacker to compromise the security of any PPTP sessions. Likewise, it wouldn't enable him to compromise any data on the server or the client, nor would it give him any form of administrative control over either machine.

If a machine were attacked via this vulnerability, what would need to be done to restore it to normal service?
The machine would need to be rebooted.

How difficult would it be to mount an attack via this vulnerability?
Although exploiting the vulnerability would not be technically difficult, there are some operational challenges for the attacker. It's not enough to simply send one malformed packet to an affected machine, or even several hundred. Each packet depletes memory on the system by only a small amount, so the attacker would need to send a very large number of packets and stay "on the air" for at least several minutes. During this time, it could be possible for the operator to take defensive measures like blocking packets from the attacker.

Could this vulnerability be exploited by an attacker on the Internet?
Yes. The flaw lies within the PPTP service which, to be useful, would need to be exposed to the Internet.

Would the attacker need to establish a PPTP session in order to exploit this vulnerability?
No. All he would need to do is direct a stream of specially malformed packets at an affected server.

Could the memory leak occur during normal use?
No. Normal PPTP sessions are extremely unlikely to generate packets with the particular malformation that's needed to cause the memory leak. In any event, it's not enough to simply generate one such packet - a stead stream of them would need to be generated and directed toward the server.

Are all Windows NT 4.0 servers at risk from this vulnerability?
No. Only servers running the PPTP service are at risk. The service does not run by default.

Are Windows NT 4.0 terminal servers at risk from this vulnerability?
Although it's possible to run the PPTP service on a terminal server, it would be extremely bad practice to do this. Terminal servers should never be used as network edge machines.

Are Windows NT 4.0 workstations at risk from this vulnerability?
PPTP can be installed on a Windows NT 4.0 workstations but, for reasons similar to those discussed regarding terminal servers, it would be very bad practice to allow a workstation to serve as a network edge machine.

Does the vulnerability affect Windows 2000 PPTP servers?
No. The Windows 2000 PPTP service is not affected by this vulnerability.

Who should apply the patch?
Microsoft recommends that customers using Windows NT 4.0 to provide PPTP services apply the patch.

What does the patch do?
The patch causes the PPTP service to correctly return memory to the operating system when it's done using it. This prevents the resource leak that resulted in the system failure. However, it's important to understand that flooding attacks might still be possible even after applying the patch. In a typical attack via this vulnerability, the attacker would direct a huge number of malformed packets at the server. After the patch is applied, the server will correctly handle the packets by examining them and rejecting them. However, it does take system resources to do this, and as a result, if such an attack were mounted against a patched system, it's possible that CPU availability could sag while the packets were incoming. This is strictly a result of the traffic volume, though, and CPU availability would resume as soon as the packet stream stopped.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

The patch can be installed on systems running Windows NT 4.0 Service Pack 6a.

Inclusion in future service packs:

The fix for this issue will be included in Windows NT 4.0 Service Pack 7.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q283001.

  • To verify the individual files, consult the file manifest in Knowledge Base article Q283001

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches are also available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Kirk Corey of Diversified Software Industries, Inc. for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q283001 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (February 13, 2001): Bulletin Created.
  • V1.1 (February 14, 2001): Patch removed due to trouble reports.
  • V1.2 (February 15, 2001): Patch restored after verifying correct functionality.
  • V1.3 (February 20, 2001): Bulletin modified to note that PPTP can be installed on Windows NT 4.0 workstations.
  • V1.4 (April 26, 2002): Bulletin updated to advise availability of Windows NT 4.0 Server, Terminal Server Edition Security Rollup Package.
  • V1.5 (June 23, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00