BugTraq
Windows Server 2003 and XP SP2 LAND attack vulnerability Mar 05 2005 06:17PM
Dejan Levaja (dejan levaja com) (1 replies)
Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Mar 07 2005 09:55PM
Jon O. (jono networkcommand com) (4 replies)
Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Mar 11 2005 09:37AM
exon (exon home se)
Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Mar 08 2005 01:05PM
killer_loop (at) mail (dot) com [email concealed] (lammat grpower ath cx)
Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Mar 08 2005 11:01AM
Miroslav Kubik (kubik_miroslav seznam cz)
Hi

I was able to reproduce LAND attack against two boxes with Windows XP
Professional installed. Both systems had all patches including SP2. After
receiving malformed packet both systems were very slow for about 5 - 10
seconds. Packet which I used is here:

[IP] 10.0.0.100 > 10.0.0.100
[IP ID] 31802
[IP Proto] TCP (6)
[IP TTL] 255
[IP TOS] 00
[IP Frag offset] 0000
[IP Frag flags]

[TCP Ports] 139 > 139
[TCP Flags] SYN
[TCP Urgent Pointer] 0
[TCP Window Size] 4096
[TCP Seq number] 1058371430

[Hexdump]
45 00 00 28 7C 3A 00 00 FF 06 00 00 0A 00 00 64 E..(|:.........d
0A 00 00 64 00 8B 00 8B 3F 15 77 66 34 E0 26 78 ...d....?.wf4r&x
50 02 10 00 78 31 00 00 P...x1..

According to me this vulnerability isn't very applicable in real environment
because almost every firewall can stop packets like this. Here is a log from
Windows Firewall. It stopped packed even though port 139 was open:

2005-03-08 11:55:04 DROP TCP 10.0.0.100 10.0.0.100 139 139 40 S 1058371430
887105144 4096 - - - RECEIVE

Best Regards
Miroslav Kubik
IT Specialist

----- Original Message -----
From: "Jon O." <jono (at) networkcommand (dot) com [email concealed]>
To: "Dejan Levaja" <dejan (at) levaja (dot) com [email concealed]>
Cc: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Monday, March 07, 2005 10:55 PM
Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability

> All:
>
> I would like to hear from someone who can reproduce this. If you can,
> please send
> details with OS, patches installed, pcaps, etc. not a report of what tools
> you used
> to create the packet, sniff and replay the results. I've tested this and
> either my
> machines are magically protected from this attack, or it is invalid
> (despite what
> the press might say). I'd like some outside corroboration of this attack.
>
>
> On 05-Mar-2005, Dejan Levaja wrote:
>>
>>
>> Hello, everyone.
>>
>> Windows Server 2003 and XP SP2 (with Windows Firewall turned off) are
>> vulnerable to LAND attack.
>>
>> LAND attack:
>> Sending TCP packet with SYN flag set, source and destination IP address
>> and source and destination port as of destination machine, results in
>> 15-30 seconds DoS condition.
>>
>>
>> Tools used:
>> IP Sorcery for creating malicious packet, Ethereal for sniffing it and
>> tcpreplay for replaying.
>>
>> Results:
>> Sending single LAND packet to file server causes Windows explorer
>> freezing on all workstations currently connected to the server. CPU on
>> server goes 100%. Network monitor on the victim server sometimes can not
>> even sniff malicious packet. Using tcpreplay to script this attack
>> results in total collapse of the network.
>>
>> Vulnerable operating systems:
>> Windows 2003
>> XP SP2
>> other OS not tested (I have other things to do currently ? like checking
>> firewalls on my networks ;) )
>>
>> Solution:
>> Use Windows Firewall on workstations, use some firewall capable of
>> detecting LAND attacks in front of your servers.
>>
>> Ethic:
>> Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO
>> answer received, so I decided to share this info with security community.
>>
>>
>> Dejan Levaja
>> System Engineer
>> Bulevar JNA 251
>> 11000 Belgrade
>> Serbia and Montenegro
>> cell: +381.64.36.00.468
>> email: dejan (at) levaja (dot) com [email concealed]
>>

[ reply ]
Re: Windows Server 2003 and XP SP2 LAND attack vulnerability Mar 08 2005 05:42AM
Patrick Chipman (pchipman memphis edu)


 

Privacy Statement
Copyright 2010, SecurityFocus