lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050308072941.28065.qmail@www.securityfocus.com>
Date: 8 Mar 2005 07:29:41 -0000
From: Espen "Grndahl" <espen.groendahl@...mens.com>
To: bugtraq@...urityfocus.com
Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability


In-Reply-To: <20050307215532.GA24251@...os.microshaft.org>

Hello

I've been able to reproduce this.

I used ipmagic on debian 3.0 and sendt a packet to a fully patched Windows 2003 server running on Vmware ESX server. I got a 1-5 sec. 100% load on the CPU on the target server. 1 packet/pr. sec. was enough to keep the CPU on 100% load.

Espen Grøndahl

>Received: (qmail 25355 invoked from network); 8 Mar 2005 04:31:31 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 8 Mar 2005 04:31:31 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing3.securityfocus.com (Postfix) with QMQP
>	id 663A42373B4; Mon,  7 Mar 2005 15:12:20 -0700 (MST)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 30519 invoked from network); 7 Mar 2005 14:39:33 -0000
>Date: Mon, 7 Mar 2005 13:55:32 -0800
>From: "Jon O." <jono@...workcommand.com>
>To: Dejan Levaja <dejan@...aja.com>
>Cc: bugtraq@...urityfocus.com
>Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
>Message-ID: <20050307215532.GA24251@...os.microshaft.org>
>References: <20050305181714.22945.qmail@....securityfocus.com>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>In-Reply-To: <20050305181714.22945.qmail@....securityfocus.com>
>User-Agent: Mutt/1.4.1i
>X-No-Archive: yes
>X-Scanned-By: logoscan
>
>All:
>
>I would like to hear from someone who can reproduce this. If you can, please send
>details with OS, patches installed, pcaps, etc. not a report of what tools you used
>to create the packet, sniff and replay the results. I've tested this and either my
>machines are magically protected from this attack, or it is invalid (despite what
>the press might say). I'd like some outside corroboration of this attack.
>
>
>On 05-Mar-2005, Dejan Levaja wrote:
>> 
>> 
>> Hello, everyone.
>> 
>> Windows Server 2003 and XP SP2 (with Windows Firewall turned off)  are vulnerable to LAND attack. 
>> 
>> LAND attack:
>>  Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition. 
>> 
>> 
>> Tools used:
>>  IP Sorcery for creating malicious packet, Ethereal for sniffing it and tcpreplay for replaying. 
>> 
>> Results:
>>  Sending single LAND packet to file server causes Windows explorer freezing on all workstations currently connected to the server. CPU on server goes 100%. Network monitor on the victim server sometimes can not even sniff malicious packet. Using tcpreplay to script this attack results in total collapse of the network.
>> 
>> Vulnerable operating systems:
>> Windows 2003
>> XP SP2
>> other OS not tested (I have other things to do currently ? like checking firewalls on my networks ;) )
>> 
>> Solution:
>>  Use Windows Firewall on workstations, use some firewall capable of detecting LAND attacks in front of your servers.
>> 
>> Ethic:
>>  Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. 
>> 
>> 
>> Dejan Levaja
>> System Engineer 
>> Bulevar JNA 251
>> 11000 Belgrade
>> Serbia and Montenegro
>> cell: +381.64.36.00.468
>> email: dejan@...aja.com
>> 
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ