Info

Disclosure

Apr 09, 2003

Discovery

Unknown

Dates

Exploit

Apr 18, 2003

Solution

Unknown

Description

The PoPToP PPTP Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when the server receives a malicious packet with the length field to set either zero or one. This causes a read operation to use a negative value, allowing sensitive memory regions to be overwritten with user-supplied data. It is possible that the flaw may allow arbitrary code execution on the Linux platform, resulting in a loss of integrity or availability.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to at least version 1.1.4-b3 for users of the 1.1.4 tree and version1.1.3-20030409 for users of the 1.1.3 tree. An upgrade is required as there are no known workarounds.

Products

PoPToP	PPTP Server	1.0.1
		1.1.2
		1.1.3
		1.1.4

References

Milw0rm: 16 19
Exploit Database: 16 19
CVE ID: 2003-0213 (see also: NVD)
Metasploit ID: 3293
CERT VU: 673993
Bugtraq ID: 7316
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-04/0144.html
http://marc.theaimsgroup.com/?l=bugtraq&m=105068728421160&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=105154539727967&w=2
Generic Exploit URL: http://packetstorm.linuxsecurity.com/0304-exploits/poptop-sane.c
Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=138437
Other Advisory URL: http://www.debian.org/security/2003/dsa-295
http://www.novell.com/linux/security/advisories/2003_029.html
Vendor URL: http://www.poptop.org/

Credit

Timo Sirainen - tssiki.fi -

Direct URL: http://osvdb.org/3293