lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 11 Mar 2005 13:58:41 +1300
From: "Daniel Cross" <dcross@...sh.co.nz>
To: Arian.Evans@...hnetsecurity.com, jono@...workcommand.com,
	bugtraq@...urityfocus.com, dejan@...aja.com
Subject: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability


Thats intersting.
I haven't tested my 2k3 box yet, but have tested against XP SP1
(Pentium 4 2.6G).
I didn't get the 100% load on the CPU that others have reported, but
did get symptoms.
I tried ports 135, 139 and 445.
When I tried ports 135 and 139 I saw the average CPU load on the
target machine average 50-60%.
When I tried port 445 I saw the average load become 60-70%.
Some tweaking of packet sizes and intervals gave me an average of
about 75% load with the occasional spike upto 90%.

The machine was still completely usable.

The machine wasn't running any app's so I figured this could be the
cause. I am still yet to try it with a load already running.

However, what you're seeing could possibly account for this, and am
now eager to try it on my 2k3 machine.

I used hping to send the packets, as below (The interval time didn't
make too much differance (a second was fine), and the data size
really didn't make much differance at all - infact it was pretty much
the same with a straight SYN packet):

hping2 192.168.1.5 -s 445 -d 445 -a 192.168.1.5 -i u55 -d 0x15

>
>---- Original Message ----
>From: Arian.Evans@...hnetsecurity.com
>To: jono@...workcommand.com, bugtraq@...urityfocus.com,
>dejan@...aja.com
>Subject: RE: Windows Server 2003 and XP SP2 LAND attack vulnerability
>Date: Tue, 8 Mar 2005 16:35:23 -0600
>
>>FWIW in addition to all the SP2 responses note: cannot replicate on
>2000 SP4 or XP SP1
>>using exact packets that work on SP2.
>>
>>-ae
>>
>>>----- Original Message ----- 
>>>From: "Jon O." <jono@...workcommand.com>
>>>To: "Dejan Levaja" <dejan@...aja.com>
>>>Cc: <bugtraq@...urityfocus.com>
>>>Sent: Monday, March 07, 2005 3:55 PM
>>>Subject: Re: Windows Server 2003 and XP SP2 LAND attack
>vulnerability
>>>
>>>
>>>> All:
>>>>
>>>> I would like to hear from someone who can reproduce this. If 
>>>you can, 
>>>> please send
>>>> details with OS, patches installed, pcaps, etc. not a report 
>>>of what tools 
>>>> you used
>>>> to create the packet, sniff and replay the results. I've 
>>>tested this and 
>>>> either my
>>>> machines are magically protected from this attack, or it is
>invalid 
>>>> (despite what
>>>> the press might say). I'd like some outside corroboration of 
>>>this attack.
>>>>
>>>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ