PoPToP PPTP Negative Read Overflow

2003-04-09T12:00:00
ID OSVDB:3293
Type osvdb
Reporter Timo Sirainen()
Modified 2003-04-09T12:00:00

Description

Vulnerability Description

The PoPToP PPTP Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when the server receives a malicious packet with the length field to set either zero or one. This causes a read operation to use a negative value, allowing sensitive memory regions to be overwritten with user-supplied data. It is possible that the flaw may allow arbitrary code execution on the Linux platform, resulting in a loss of integrity or availability.

Solution Description

Upgrade to at least version 1.1.4-b3 for users of the 1.1.4 tree and version1.1.3-20030409 for users of the 1.1.3 tree. An upgrade is required as there are no known workarounds.

Short Description

The PoPToP PPTP Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when the server receives a malicious packet with the length field to set either zero or one. This causes a read operation to use a negative value, allowing sensitive memory regions to be overwritten with user-supplied data. It is possible that the flaw may allow arbitrary code execution on the Linux platform, resulting in a loss of integrity or availability.

References:

Vendor URL: http://www.poptop.org/ Vendor Specific Advisory URL Nessus Plugin ID:11540 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-04/0144.html Generic Exploit URL: http://packetstorm.linuxsecurity.com/0304-exploits/poptop-sane.c CVE-2003-0213 Bugtraq ID: 7316