nt4+sp4+ras.pptp.DoS.txt

`Possible DOS in WinNT RAS (PPTP)  
  
Simon Helson ([email protected])  
Tue, 27 Apr 1999 09:29:06 -0700   
  
Please excuse if this has been posted before, I did a quick search of the  
archives and found nothing  
This hasn't been sent to MS, as I don't know an email address to send it  
to, Aleph, if you find it worthy of sending, please forward a copy to the  
MS people for their attention. Cheers.  
  
I was playing around with PPTP last night, and discovered that, with "very"  
minimal effort, I could cause my friends NT Server (version 4, service pack  
4) to reboot instantly, without shutting down. All I did was telnet to the  
port (1723) on the NT box, and then send the following data.  
  
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh  
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh  
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh  
hhhhhhhhhhhhhhhhhhhhhhhhhhhh (that's 256 'h's for those who don't want to  
count :-)  
  
and hit return. nothing. BUT, then I hit ^D and all hell broke loose. The  
NT server dropped like a stone, full hardware reboot.  
  
I tested this multiple times and always got the same response.  
  
The NT Server was version 4, with Service pack 4 applied.  
  
Cheers  
  
Simon  
  
------------------------------------------------------------------------------  
  
Date: Tue, 27 Apr 1999 20:55:50 -0700  
From: Simon Helson <[email protected]>  
To: [email protected]  
Subject: RE Possible DOS in WinNT RAS (PPTP)  
  
Hello again.  
  
please excuse the lack of detail in my first posting. I was trying to  
recollect the events of the past evening.  
  
Unfortunately I don't have unlimited access to a NT server to play with.  
However, I have tried this again (on the same server) this time over the  
internet as opposed to a LAN. (trying to remove the NIC from the equation.)  
  
Firstly, the NT setup:  
NT Server Version 4, with Service Pack 4.0 applied.  
(outside US version - only 40 bit)  
PPTP added as a network device  
Number of VPNs available - 2  
then RAS service started.  
  
The attack box setup:  
RedHat Linux 5.2 running kernel 2.2.1  
modem connection to the net  
  
The procedure I followed:  
  
[root@blobby /root]# telnet <removed for privacy> 1723  
Trying <removed for privacy>...  
Connected to <removed for privacy>.  
Escape character is '^]'  
hhhhhhhhhhhhhhh<type 256 times>  
^d (not shown in output)  
^]  
telnet> close  
Connection closed.  
  
The instant I hit ^d his server rebooted. AFAIK there is nothing special in  
the setup of the NT server.  
  
I hope this clears up the picture.  
  
Cheers  
  
Simon  
  
------------------------------------------------------------------------------  
  
Date: Tue, 27 Apr 1999 10:55:52 -0700  
From: Aleph One <[email protected]>  
To: [email protected]  
Subject: Re: Possible DOS in WinNT RAS (PPTP)  
  
Summary of this thread.  
  
Didn't work:  
  
NT 4.0 SP4, RRAS - Chris Alliey <[email protected]>  
NT 4.0 Server SP3, 128-bit, no RAS - Russ <[email protected]>  
NT 4.0 Server SP3, PPTP3-fix, no RAS 128-bit - Russ <[email protected]>  
NT 4.0 Server SP4, 128-bit, no RAS - Russ <[email protected]>  
NT 4.0 Server SP4 - Lewman, Andrew <[email protected]>  
NT 4.0 Server Enterprise, SP4 - Lewman, Andrew <[email protected]>  
  
Yes:  
  
NT 4.0 SP4, Option Pack - Huang Min <[email protected]>  
NT 4.0 Server, SP4, 40-bit, RAS - Simon Helson <[email protected]>  
  
  
Hardware or device driver error, or maybe an issue with RAS but not RRAS?  
  
--  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
------------------------------------------------------------------------------  
  
Date: Wed, 28 Apr 1999 12:46:02 -0700  
From: Aleph One <[email protected]>  
To: [email protected]  
Subject: Re: Possible DOS in WinNT RAS (PPTP)  
  
Some more feedback from folks. It seems that there is indeed an issue  
here but reproducing it is difficult.  
  
Please if you are going to send a report on this issue please make sure  
you include Service Pack level, whether you are using RAS or RRAS,  
whether you are using 40-bit or 128-bit, whether the machine froze, BSOD,  
or rebooted, and what network card you are using.  
  
WORKED:  
  
Paul M. Hirsch <[email protected]>:  
  
* NT 4.0, SP3, RAS, PPTP  
* Proliant PPro 200  
* Netelligent 10/100 ethernet  
* Compaq Fibre array  
  
Martin Rex <[email protected]>:  
  
* NT 4.0, SP3, 40-bit, PPTP, RAS  
* BSOD: STOP 0x0000000A in RASPPTPE.sys  
  
Ronny Cook <[email protected]>:  
  
* NT 4.0, SP4, RAS, PPTP  
* RAS & PPTP installed after SP4  
* The problem disappeared when SP4 was reinstalled as per  
Microsoft's instructions.  
  
Emmanuel Tychon <[email protected]>:  
  
* NT 4.0, SP3  
* Machine freezes (dead mouse)  
  
Greg <[email protected]>:  
  
* NT 4.0  
  
  
Didn't work:  
  
"Chad D. Lingmann" <[email protected]>:  
  
* RRAS  
  
>From Andrew Lewman <[email protected]>:  
  
RedHat 5.2 with all patches against:  
  
NT Server 1 has RRAS, SP4, NT Enterprise, Option Pack 4, PPTP w/96 VPNs (23  
active at the time), Compaq Netelligent 10/100 running at 100 Mbits Full  
Duplex, with drivers from latest SSD  
  
NT Server 2 has RAS, SP4, NT Enterprise, PPTP w/ 96 VPNs (45 active at the  
time), 3Com 3C905b 10/100 running at 100 Mbits full duplex with latest  
standard NT4 SP4 driver installed.  
  
NT Server 3 has RRAS, SP4, NT Server, Option Pack 4, PPTP w/20 VPNs (none  
active), Compaq Netflex-3 10/100 running at 100 Mbits full duplex with  
drivers from latest SSD.  
  
I tried 256 through 2,560 "h"'s in intervals of 100 h's, Ctrl-D for  
each interval of h's. Nothing. Very temporary spike in process usage for  
the processes associated with RAS, went away instantly.  
  
Errata:  
  
Russ actually said he was using RAS, not RRAS. Mea culpa.  
  
  
--  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
`