Vulnerabilities > CVE-2003-0213 - Remote Buffer Overflow vulnerability in PoPToP PPTP Negative read() Argument
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Exploit-Db
description Poptop < 1.1.3-b3 and 1.1.3-20030409 Negative Read Overflow. CVE-2003-0213. Remote exploit for linux platform id EDB-ID:9952 last seen 2016-02-01 modified 2003-04-09 published 2003-04-09 reporter spoonm source https://www.exploit-db.com/download/9952/ title Poptop < 1.1.3-b3 and 1.1.3-20030409 - Negative Read Overflow description PoPToP PPTP 1.0/1.1.x Negative read() Argument Remote Buffer Overflow Vulnerability. CVE-2003-0213. Remote exploit for linux platform id EDB-ID:22479 last seen 2016-02-02 modified 2003-04-09 published 2003-04-09 reporter John Leach source https://www.exploit-db.com/download/22479/ title PoPToP PPTP 1.0/1.1.x Negative read Argument Remote Buffer Overflow Vulnerability description Poptop Negative Read Overflow. CVE-2003-0213. Remote exploit for linux platform id EDB-ID:16845 last seen 2016-02-02 modified 2010-11-23 published 2010-11-23 reporter metasploit source https://www.exploit-db.com/download/16845/ title Poptop Negative Read Overflow description PoPToP PPTP <= 1.1.4-b3 Remote Root Exploit. CVE-2003-0213. Remote exploit for linux platform id EDB-ID:16 last seen 2016-01-31 modified 2003-04-18 published 2003-04-18 reporter einstein source https://www.exploit-db.com/download/16/ title PoPToP PPTP <= 1.1.4-b3 - Remote Root Exploit description PoPToP PPTP <= 1.1.4-b3 Remote Root Exploit (poptop-sane.c). CVE-2003-0213. Remote exploit for linux platform id EDB-ID:19 last seen 2016-01-31 modified 2003-04-25 published 2003-04-25 reporter blightninjas source https://www.exploit-db.com/download/19/ title PoPToP PPTP <= 1.1.4-b3 - Remote Root Exploit poptop-sane.c
Metasploit
| description | This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes (what we run our code in), so you could have a max of 4 shells at once. Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock. |
| id | MSF:EXPLOIT/LINUX/PPTP/POPTOP_NEGATIVE_READ |
| last seen | 2020-05-23 |
| modified | 2017-07-24 |
| published | 2007-01-28 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/pptp/poptop_negative_read.rb |
| title | Poptop Negative Read Overflow |
Nessus
NASL family Gain a shell remotely NASL id POPTOP_NEGATIVE_READ.NASL description The remote PPTP server has remote buffer overflow vulnerability. The problem occurs due to insufficient sanity checks when referencing user-supplied input used in various calculations. As a result, it may be possible for an attacker to trigger a condition where sensitive memory can be corrupted. Successful exploitation of this issue may allow an attacker to execute arbitrary code with the privileges of the affected server. last seen 2020-06-01 modified 2020-06-02 plugin id 11540 published 2003-04-16 reporter This script is Copyright (C) 2003-2019 Xue Yong Zhi & Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11540 title PoPToP PPTP ctrlpacket.c Negative Read Remote Overflow code # # This script was written by Xue Yong Zhi<[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title, changed family (8/19/09) include("compat.inc"); if (description) { script_id(11540); script_version ("1.24"); script_cve_id("CVE-2003-0213"); script_bugtraq_id(7316); script_xref(name:"SuSE", value:"SUSE-SA:2003:029"); script_name(english:"PoPToP PPTP ctrlpacket.c Negative Read Remote Overflow"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote server." ); script_set_attribute(attribute:"description", value: "The remote PPTP server has remote buffer overflow vulnerability. The problem occurs due to insufficient sanity checks when referencing user-supplied input used in various calculations. As a result, it may be possible for an attacker to trigger a condition where sensitive memory can be corrupted. Successful exploitation of this issue may allow an attacker to execute arbitrary code with the privileges of the affected server." ); script_set_attribute(attribute:"solution", value: "The vendor has released updated releases of PPTP server that address this issue. Users are advised to upgrade as soon as possible." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Poptop Negative Read Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/04/16"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/04/09"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:poptop:pptp_server"); script_end_attributes(); script_summary(english:"Determine if a remote PPTP server has remote buffer overflow vulnerability"); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2003-2019 Xue Yong Zhi & Tenable Network Security, Inc."); script_dependencie("pptp_detect.nasl"); script_require_ports("Services/pptp",1723); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("byte_func.inc"); port = get_kb_item("Services/pptp"); if ( !port) exit(0); set_byte_order(BYTE_ORDER_BIG_ENDIAN); pptp_head = mkword(1) + # Message Type mkdword(0x1a2b3c4d) + # Cookie mkword(1) + # Control type (Start-Control-Connection-Request) mkword(0) + # Reserved mkword(0x0100) + # Protocol Version (1.0) mkword(0) + # Reserved mkdword(1) + # Framing Capabilities mkdword(1) + # Bearer capabilities mkword(0); # Maximum channels pptp_vendor = mkword(NASL_LEVEL) + # Firmware revision mkpad(64) + # Hostname mkpad(64); # Vendor buffer = mkword(strlen(pptp_head) + strlen(pptp_vendor) + 2) + pptp_head + pptp_vendor; soc = open_sock_tcp(port); if ( ! soc ) exit(0); send(socket:soc, data:buffer); r = recv(socket:soc, length:2); if ( ! r || strlen(r) != 2 ) exit(0); l = getword(blob:r, pos:0); r += recv(socket:soc, length:l - 2, min:l - 2); if ( strlen(r) != l ) exit(0); if ( strlen(r) < strlen(pptp_head) + strlen(pptp_vendor) ) exit(0); cookie = getdword(blob:r, pos:4); if ( cookie != 0x1a2b3c4d ) exit(0); soc = open_sock_tcp(port); if (soc) { send(socket:soc, data:buffer); rec_buffer = recv(socket:soc, length:156); close(soc); if("linux" >< rec_buffer) { buffer = raw_string(0x00, 0x00) + # Length = 0 crap(length:1500, data:'A'); # Random data soc = open_sock_tcp(port); if (soc) { send(socket:soc, data:buffer); # Patched pptp server will return RST(will not read bad data), # unpatched will return FIN(read all the bad data and be overflowed). if ( defined_func("get_source_port") ) filter = string("tcp and src host ", get_host_ip(), " and dst host ", compat::this_host(), " and src port ", port, " and dst port ", get_source_port(soc), " and tcp[13:1]&1!=0 " ); else filter = string("tcp and src host ", get_host_ip(), " and dst host ", compat::this_host(), " and src port ", port, " and tcp[13:1]&1!=0 " ); for(i=0;i<5;i++) { r = pcap_next(pcap_filter:filter, timeout:2); if(r) {security_hole(port); exit(0);} } } } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-295.NASL description Timo Sirainen discovered a vulnerability in pptpd, a Point to Point Tunneling Server, which implements PPTP-over-IPSEC and is commonly used to create Virtual Private Networks (VPN). By specifying a small packet length an attacker is able to overflow a buffer and execute code under the user id that runs pptpd, probably root. An exploit for this problem is already circulating. last seen 2020-06-01 modified 2020-06-02 plugin id 15132 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15132 title Debian DSA-295-1 : pptpd - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-295. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15132); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0213"); script_bugtraq_id(7316); script_xref(name:"DSA", value:"295"); script_name(english:"Debian DSA-295-1 : pptpd - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Timo Sirainen discovered a vulnerability in pptpd, a Point to Point Tunneling Server, which implements PPTP-over-IPSEC and is commonly used to create Virtual Private Networks (VPN). By specifying a small packet length an attacker is able to overflow a buffer and execute code under the user id that runs pptpd, probably root. An exploit for this problem is already circulating." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-295" ); script_set_attribute( attribute:"solution", value: "Upgrade the pptpd package immediately. For the stable distribution (woody) this problem has been fixed in version 1.1.2-1.4. For the old stable distribution (potato) this problem has been fixed in version 1.0.0-4.2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Poptop Negative Read Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pptpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"pptpd", reference:"1.0.0-4.2")) flag++; if (deb_check(release:"3.0", prefix:"pptpd", reference:"1.1.2-1.4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82248/poptop_negative_read.rb.txt |
| id | PACKETSTORM:82248 |
| last seen | 2016-12-05 |
| published | 2009-10-27 |
| reporter | spoonm |
| source | https://packetstormsecurity.com/files/82248/Poptop-Negative-Read-Overflow.html |
| title | Poptop Negative Read Overflow |
References
- http://marc.info/?l=bugtraq&m=105068728421160&w=2
- http://marc.info/?l=bugtraq&m=105154539727967&w=2
- http://sourceforge.net/project/shownotes.php?release_id=138437
- http://www.debian.org/security/2003/dsa-295
- http://www.kb.cert.org/vuls/id/673993
- http://www.novell.com/linux/security/advisories/2003_029.html
- http://www.securityfocus.com/archive/1/317995
- http://www.securityfocus.com/archive/1/319428
- http://www.securityfocus.com/bid/7316