GEN:SID 1:2126
Message MISC Microsoft PPTP Start Control Request buffer overflow attempt
Summary This event is generated when a remote attacker attempts to overflow Microsoft's
PPTP RAS service.  
Impact Administrative Compromise.  This attack may permit executation of arbitrary
commands with the privileges of the NT SYSTEM account.
Detailed Information A buffer overflow exists when a malformed SCR (Start Control Request) PPTP
packet is received by the PPTP RAS service.  This may permit executation of
arbitrary commands with the privileges of root.
Affected Systems Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Attack Scenarios Exploit code can be used to attack vulnerable PPTP RAS services to obtain
SYSTEM level access to the remote host.
Ease of Attack Difficult.  Currently Sourcefire is unaware of any publicly available
exploits for this vulnerability.
Corrective Action Microsoft as released the following patches to correct the problem:

Microsoft Windows 2000 Professional SP3:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows 2000 Server SP3:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows 2000 Advanced Server SP3:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows 2000 Terminal Services SP3:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows 2000 Advanced Server SP2:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows 2000 Professional SP2:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows 2000 Server SP2:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows 2000 Terminal Services SP2:

    Microsoft Patch Q329834
    http://www.microsoft.com/windows2000/downloads/critical/q329834/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D43606%26redirect%3Dno

Microsoft Windows XP Home SP1:

    Microsoft Patch Q329834
    http://download.microsoft.com/download/whistler/Patch/Q329834/WXP/EN-US/Q329834_WXP_SP2_x86_ENU.exe

Microsoft Windows XP Professional SP1:

    Microsoft Patch Q329834
    http://download.microsoft.com/download/whistler/Patch/Q329834/WXP/EN-US/Q329834_WXP_SP2_x86_ENU.exe

Microsoft Windows XP 64-bit Edition SP1:

    Microsoft Patch Q329834
    http://download.microsoft.com/download/whistler/Patch/Q329834/W64XP/EN-US/Q329834_WXP_SP2_ia64_ENU.exe
Additional References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1214
http://www.securityfocus.com/bid/5807

Rule References bugtraq: 5807
cve: 2002-1214