| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Mar 2005 23:42:15 -0600 From: "Patrick Chipman" <pchipman@...phis.edu> To: <bugtraq@...urityfocus.com> Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability I can replicate this using hping2 on a Linux 2.2.19 box targeting a Windows XP SP2 box (fully patched) with no firewall active on the same subnet. The packet sent has the SYN flag set (-S) and a spoofed source address (-a). The source and destination ports must be the same and open on the target machine. I tried ports 135, 139, 445, and 3389, and all of them raised the CPU usage of the System process to 100% for the duration of the attack and for about 10 seconds afterwards. The effect is quite dramatic, but the system isn't frozen per se. You can still interact with it, albeit very slowly. Task Manager responds updates its window appropriately, for instance, and you can send events to other applications. One version of the command I used was (from a machine at 192.168.1.5): hping2 192.168.1.1 -s 135 -p 135 -S -a 192.168.1.1 That should have the desired effect. -- Patrick Chipman Institute for Intelligent Systems http://www.iismemphis.org ----- Original Message ----- From: "Jon O." <jono@...workcommand.com> To: "Dejan Levaja" <dejan@...aja.com> Cc: <bugtraq@...urityfocus.com> Sent: Monday, March 07, 2005 3:55 PM Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability > All: > > I would like to hear from someone who can reproduce this. If you can, > please send > details with OS, patches installed, pcaps, etc. not a report of what tools > you used > to create the packet, sniff and replay the results. I've tested this and > either my > machines are magically protected from this attack, or it is invalid > (despite what > the press might say). I'd like some outside corroboration of this attack. > > > On 05-Mar-2005, Dejan Levaja wrote: >> >> >> Hello, everyone. >> >> Windows Server 2003 and XP SP2 (with Windows Firewall turned off) are >> vulnerable to LAND attack. >> >> LAND attack: >> Sending TCP packet with SYN flag set, source and destination IP address >> and source and destination port as of destination machine, results in >> 15-30 seconds DoS condition. >> >> >> Tools used: >> IP Sorcery for creating malicious packet, Ethereal for sniffing it and >> tcpreplay for replaying. >> >> Results: >> Sending single LAND packet to file server causes Windows explorer >> freezing on all workstations currently connected to the server. CPU on >> server goes 100%. Network monitor on the victim server sometimes can not >> even sniff malicious packet. Using tcpreplay to script this attack >> results in total collapse of the network. >> >> Vulnerable operating systems: >> Windows 2003 >> XP SP2 >> other OS not tested (I have other things to do currently ? like checking >> firewalls on my networks ;) ) >> >> Solution: >> Use Windows Firewall on workstations, use some firewall capable of >> detecting LAND attacks in front of your servers. >> >> Ethic: >> Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO >> answer received, so I decided to share this info with security community. >> >> >> Dejan Levaja >> System Engineer >> Bulevar JNA 251 >> 11000 Belgrade >> Serbia and Montenegro >> cell: +381.64.36.00.468 >> email: dejan@...aja.com >> >
Powered by blists - more mailing lists