lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <8654C851B1DAFA4FA18A9F150145F92502C160BD@fnex01.fishnetsecurity.com>
Date: Tue, 8 Mar 2005 16:35:23 -0600
From: "Evans, Arian" <Arian.Evans@...hnetsecurity.com>
To: <jono@...workcommand.com>, <bugtraq@...urityfocus.com>,
	<dejan@...aja.com>
Subject: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability


FWIW in addition to all the SP2 responses note: cannot replicate on 2000 SP4 or XP SP1
using exact packets that work on SP2.

-ae

>----- Original Message ----- 
>From: "Jon O." <jono@...workcommand.com>
>To: "Dejan Levaja" <dejan@...aja.com>
>Cc: <bugtraq@...urityfocus.com>
>Sent: Monday, March 07, 2005 3:55 PM
>Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
>
>
>> All:
>>
>> I would like to hear from someone who can reproduce this. If 
>you can, 
>> please send
>> details with OS, patches installed, pcaps, etc. not a report 
>of what tools 
>> you used
>> to create the packet, sniff and replay the results. I've 
>tested this and 
>> either my
>> machines are magically protected from this attack, or it is invalid 
>> (despite what
>> the press might say). I'd like some outside corroboration of 
>this attack.
>>
>>
>> On 05-Mar-2005, Dejan Levaja wrote:
>>>
>>>
>>> Hello, everyone.
>>>
>>> Windows Server 2003 and XP SP2 (with Windows Firewall 
>turned off)  are 
>>> vulnerable to LAND attack.
>>>
>>> LAND attack:
>>>  Sending TCP packet with SYN flag set, source and 
>destination IP address 
>>> and source and destination port as of destination machine, 
>results in 
>>> 15-30 seconds DoS condition.
>>>
>>>
>>> Tools used:
>>>  IP Sorcery for creating malicious packet, Ethereal for 
>sniffing it and 
>>> tcpreplay for replaying.
>>>
>>> Results:
>>>  Sending single LAND packet to file server causes Windows explorer 
>>> freezing on all workstations currently connected to the 
>server. CPU on 
>>> server goes 100%. Network monitor on the victim server 
>sometimes can not 
>>> even sniff malicious packet. Using tcpreplay to script this attack 
>>> results in total collapse of the network.
>>>
>>> Vulnerable operating systems:
>>> Windows 2003
>>> XP SP2
>>> other OS not tested (I have other things to do currently ? 
>like checking 
>>> firewalls on my networks ;) )
>>>
>>> Solution:
>>>  Use Windows Firewall on workstations, use some firewall capable of 
>>> detecting LAND attacks in front of your servers.
>>>
>>> Ethic:
>>>  Microsoft was informed 7 days ago (25.02.2005, GMT +1, 
>local time), NO 
>>> answer received, so I decided to share this info with 
>security community.
>>>
>>>
>>> Dejan Levaja
>>> System Engineer
>>> Bulevar JNA 251
>>> 11000 Belgrade
>>> Serbia and Montenegro
>>> cell: +381.64.36.00.468
>>> email: dejan@...aja.com
>>>
>> 
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ