A possible flaw in the point-to-point tunneling protocol (PPTP) in both Windows 2000 and Windows XP could leave corporate intranets vulnerable to attack, German security firm Phion Information Technologies warned Thursday.

Phion said it had contacted Microsoft about the vulnerability before issuing its security advisory Thursday morning. Microsoft has not confirmed the flaw.

PPTP is used to secure virtual private networks (VPNs) by allowing two Internet hosts to communicate over a secure channel utilizing authentication and encryption. Phion claimed that the PPTP Service shipping with Windows 2000 and Windows XP contains a remotely exploitable pre-authentication buffer overflow, which could allow a malicious hacker to overwrite kernel memory with a specially crafted PPTP packet.


Phion said it has verified a denial-of-service lockup on both Windows 2000 SP3 and Windows XP, and noted that a remote compromise should be possible through the use of proper shellcode. Additionally, it said clients are vulnerable, because the service constantly listens to port 1723 on any interface of the machine, making the vulnerability of special concern to DSL users utilizing PPTP to connect to their modems.

On the client side, Phion suggested firewalling the PPTP port in the Internet Connection Firewall for Windows XP. It had no suggestions for server-side solutions.