CERT/CC Vulnerability Note VU#673993

Overview

There is a remotely exploitable buffer overflow in PopTop. An exploit for this vulnerability exists and is publicly available.

Description

From the PopTop web site:

PopToP is the PPTP server solution for Linux (ports exist for Solaris 2.6, OpenBSD and FreeBSD and others).
A buffer overflow exists in ctrlpacket.c, which is used to control message packet reading, formatting, and writing. For further technical details, please see the original report.

Impact

A remote attacker may be able to crash the PPTP server or execute arbitrary code with the privileges of the PopTop server.

Solution

Upgrade to the latest version of PopTop.

Vendor Information

673993

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Debian Affected

Notified: April 29, 2003 Updated: May 01, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.debian.org/security/2003/dsa-295.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated: April 29, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- - - --------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200304-08 - - - ---------------------------------------------------------------------
PACKAGE : pptpd SUMMARY : buffer overflow
DATE : 2003-04-28 09:22 UTC EXPLOIT : remote
VERSIONS AFFECTED : <pptpd-1.1.3.20030429 FIXED VERSION : >=pptpd-1.1.3.20030429
CVE : CAN-2003-0213
- - - ---------------------------------------------------------------------
- - From advisory:
"PPTP packet header contain 16bit length which specifies the full size of the packet:
bytes_this = read(clientFd, packet + bytes_ttl, 2 - bytes_ttl); // ... bytes_ttl += bytes_this; // ... length = htons(*(u_int16_t *) packet); if (length > PPTP_MAX_CTRL_PCKT_SIZE) {
// abort }

Looks good so far, except:
bytes_this = read(clientFd, packet + bytes_ttl, length - bytes_ttl);
If given length was 0 or 1, the "length - bytes_ttl" result is -1 or -2, which means that it reads unlimited amount of data from client into "packet", which is a buffer located in stack.
The exploitability only depends on if libc allows the size parameter to be larger than SSIZE_MAX bytes. GLIBC does, Solaris and *BSD don't."
Read the full advisory at:http://marc.theaimsgroup.com/?l=bugtraq&m=104994375011406&w=2
SOLUTION
It is recommended that all Gentoo Linux users who are running net-dialup/pptpd upgrade to pptpd-1.1.3.20030409 as follows:
emerge sync emerge pptpd emerge clean
- - - --------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available athttp://cvs.gentoo.org/~aliz- - - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+rPLrfT7nyhUpoZMRAjKOAJ9Ztnuvpr6luyiBl+CD2PzlOHBKKgCfWlT+ A6YGzE9MLzvOleHHY9u1ivA= =hi8d -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PopTop Affected

Updated: April 29, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://sourceforge.net/mailarchive/forum.php?thread_id=1947395&forum_id=8250.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Not Affected

Notified: April 29, 2003 Updated: April 30, 2003

Status

Not Affected

Vendor Statement

Red Hat distributions do not include PopTop.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 16 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Timo Sirainen.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2003-0213
Severity Metric:	27.75
Date Public:	2003-04-09
Date First Published:	2003-04-29
Date Last Updated:	2003-05-01 13:53 UTC
Document Revision:	9

Software Engineering Institute

CERT Coordination Center

PopTop PPTP Server contains buffer overflow in "ctrlpacket.c"

Vulnerability Note VU#673993

Overview

Description

Impact

Solution

Vendor Information

Debian Affected

Status

Vendor Statement

Vendor Information

Addendum

Gentoo Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

PopTop Affected

Status

Vendor Statement

Vendor Information

Addendum

Red Hat Inc. Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Conectiva Unknown

Status

Vendor Statement

Vendor Information

Addendum

Engarde Unknown

Status

Vendor Statement

Vendor Information

Addendum

Hewlett-Packard Company Unknown

Status

Vendor Statement

Vendor Information

Addendum

Ingrian Networks Unknown

Status

Vendor Statement

Vendor Information

Addendum

MandrakeSoft Unknown

Status

Vendor Statement

Vendor Information

Addendum

MontaVista Software Unknown

Status

Vendor Statement

Vendor Information

Addendum

Openwall GNU/*/Linux Unknown

Status

Vendor Statement

Vendor Information

Addendum

SCO Unknown

Status

Vendor Statement

Vendor Information

Addendum

Sequent Unknown

Status

Vendor Statement

Vendor Information

Addendum

SuSE Inc. Unknown

Status

Vendor Statement

Vendor Information

Addendum

Sun Microsystems Inc. Unknown