search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PopTop PPTP Server contains buffer overflow in "ctrlpacket.c"

Vulnerability Note VU#673993

Original Release Date: 2003-04-29 | Last Revised: 2003-05-01

Overview

There is a remotely exploitable buffer overflow in PopTop. An exploit for this vulnerability exists and is publicly available.

Description

From the PopTop web site:

PopToP is the PPTP server solution for Linux (ports exist for Solaris 2.6, OpenBSD and FreeBSD and others).
A buffer overflow exists in ctrlpacket.c, which is used to control message packet reading, formatting, and writing. For further technical details, please see the original report.

Impact

A remote attacker may be able to crash the PPTP server or execute arbitrary code with the privileges of the PopTop server.

Solution

Upgrade to the latest version of PopTop.

Vendor Information

673993
 
Affected   Unknown   Unaffected

Debian

Notified:  April 29, 2003 Updated:  May 01, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.debian.org/security/2003/dsa-295.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  April 29, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200304-08
- - - ---------------------------------------------------------------------

PACKAGE : pptpd
SUMMARY : buffer overflow

DATE : 2003-04-28 09:22 UTC
EXPLOIT : remote

VERSIONS AFFECTED : <pptpd-1.1.3.20030429
FIXED VERSION : >=pptpd-1.1.3.20030429

CVE : CAN-2003-0213

- - - ---------------------------------------------------------------------

- - From advisory:

"PPTP packet header contain 16bit length which specifies the full size of
the packet:

bytes_this = read(clientFd, packet + bytes_ttl, 2 - bytes_ttl);
// ...
bytes_ttl += bytes_this;
// ...
length = htons(*(u_int16_t *) packet);
if (length > PPTP_MAX_CTRL_PCKT_SIZE) {

// abort
}


Looks good so far, except:

bytes_this = read(clientFd, packet + bytes_ttl, length - bytes_ttl);

If given length was 0 or 1, the "length - bytes_ttl" result is -1 or -2,
which means that it reads unlimited amount of data from client into
"packet", which is a buffer located in stack.

The exploitability only depends on if libc allows the size parameter to be
larger than SSIZE_MAX bytes. GLIBC does, Solaris and *BSD don't."

Read the full advisory at:
http://marc.theaimsgroup.com/?l=bugtraq&m=104994375011406&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-dialup/pptpd upgrade to pptpd-1.1.3.20030409 as follows:

emerge sync
emerge pptpd
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at
http://cvs.gentoo.org/~aliz
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+rPLrfT7nyhUpoZMRAjKOAJ9Ztnuvpr6luyiBl+CD2PzlOHBKKgCfWlT+
A6YGzE9MLzvOleHHY9u1ivA=
=hi8d
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PopTop

Updated:  April 29, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://sourceforge.net/mailarchive/forum.php?thread_id=1947395&forum_id=8250.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  April 29, 2003 Updated:  April 30, 2003

Status

  Not Vulnerable

Vendor Statement

Red Hat distributions do not include PopTop.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  April 29, 2003 Updated:  April 29, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 16 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered by Timo Sirainen.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2003-0213
Severity Metric: 27.75
Date Public: 2003-04-09
Date First Published: 2003-04-29
Date Last Updated: 2003-05-01 13:53 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.