lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 11 Mar 2005 01:14:02 +0100
From: Miguel Angel Rodríguez Jódar <rodriguj@....us.es>
To: <bugtraq@...urityfocus.com>
Subject: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability


> I would like to hear from someone who can reproduce this. If you can,
> please send
> details with OS, patches installed, pcaps, etc. not a report of what

I've tested the original land attack against a Windows XP box SP2, spanish
version, fw disabled, patches up to date, attacker and victim on the same
subnet. Tested on ports 139, 445 and 4899 (remote administrator service). In
all cases, after sending one "landed" packet, CPU usage raised from 2% to
77% and from then, to 100%, then back to 2%. The whole sequence took about
20 seconds.

If I tried the attack while the screensaver was active, it halted for those
20 seconds, and then back to normal.

I've not been able to reproduce this on a XP SP2 behind a firewall, with a
port mapped from the firewall to the machine. I tried modifying the land
source code to use a source IP identical to the machine internal IP, in the
hope that, after NAT translation, IP source and IP destination will be the
same and the attack would work, but no luck.

Tried also on a XP SP2, same characteristics as the previous one, but this
time not on my subnet, but many routers away. Apparently, no bad effects.

I took the land binary to a Linux machine on the same subnet as this second
XP box. Tried again and it worked!

After this test, I enabled Zone Alarm on this WinXP box and tried again:
this time it worked, but it was necesary about 30 packets (1 second packet
rate) to raise CPU usage to 100%. Inmediately after stopping the packet
generator, the CPU usage came back to normal.

Hope this helps on clarifying the matter.

--
Miguel Angel Rodriguez Jodar | http://www.atc.us.es
Departamento de Arquitectura y Tecnologia de Computadores
Universidad de Sevilla
Spain



Powered by blists - more mailing lists