cbcvebase.
CVE-2003-0213
published 2003-05-12

CVE-2003-0213: ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative…

PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.03%
99.3th percentile
ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpptpd< pptpd 1.1.4-0.b3.2 (bookworm)pptpd 1.1.4-0.b3.2 (bookworm)
poptoppptp_server
poptoppptp_server
poptoppptp_server
poptoppptp_server
poptoppptp_server
poptoppptp_server

Detection & IOCsextracted from sources · hover to see the quote

port1723
commandPPTP ECHO_RQST packet with header length field set to 1 (ntohs(1)) to trigger negative read
pathctrlpacket.c
urlhttp://securityfocus.com/archive/1/317995
bytes
\x1a\x2b\x3c\x4d (PPTP Magic Cookie)
  • Detect PPTP control connection packets (port 1723/TCP) where the PPTP length field in the header is set to 0 or 1, which is anomalous and triggers the negative read overflow in ctrlpacket.c.
  • Alert on PPTP ECHO_RQST (ctrl_type=5) packets on TCP/1723 where the declared packet length field is 1 (ntohs value), as this is the specific trigger used by all known exploits for this CVE.
  • Fingerprint vulnerable PoPToP servers by sending a valid START_CTRL_CONN_RQST (length=156) and checking if the response banner contains the string 'MoretonBay', which indicates a vulnerable version.
  • Monitor for PPTP packets on TCP/1723 containing the magic cookie 0x1a2b3c4d followed by an anomalously small length field (0 or 1) in the PPTP header, indicating an exploitation attempt.
  • Bruteforce exploitation attempts will generate many rapid sequential TCP connections to port 1723, each sending an ECHO_RQST with length=1 followed by a large payload buffer (~500 bytes of NOP sled + shellcode + return addresses).
  • ·The Metasploit exploit uses bruteforce RET address scanning between 0xbffff000 and 0xbffffa00 with step 0, meaning detection based on a single connection attempt may miss the attack; monitoring for repeated connections is necessary.
  • ·The exploit author notes that Poptop version detection is not reliable, so version-based blocking alone is insufficient; traffic-level detection on the malformed length field is required.
  • ·The vulnerable server by default allows only 4 concurrent manager processes, limiting the maximum number of simultaneous shells an attacker can obtain, but this does not prevent exploitation.
  • ·The shellcode in exploit EDB-19 embeds the attacker's IP and port directly in the payload bytes (at fixed offsets), meaning the shellcode bytes will vary per attacker; byte-signature detection should focus on the invariant NOP sled and syscall sequences rather than the full shellcode.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.