Slashdot Mirror
Windows 2003 and XP SP2 Vulnerable To LAND Attack
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
"Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on."
Machines that are not protected are vulnerable. Well, that isn't really news is it? Sounds pretty silly to me.
Anyway, given all the warnings about Internet security in the last five years, the majority of users will already have downloaded and installed firewall programs such as ZoneAlarm.
Tm
Support TBI Research: http://www.raisinhope.org
Of course, some windows machines need to have open ports, like, say, if they're offering *services*. So really, your mundane desktop need not be affected. It's the production server you should be quite terrified about.
WARNING: there is a trojan on your
Turning Windows firewall off poses the same risk as a strike with a hammer or microwaving? That's one fragile OS!
This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Microsoft's corporate culture places on security. Hasn't anyone at Microsoft ever heard about regression testing?
Microsoft has consistantly demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to Microsoft products.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Nobody deserves to get their Boxen hacked, even if they don't always use the best available defenses.
That is like saying the rape victim is at fault "'cause she looked so sexy"
Comment removed based on user account deletion
I know the land attack is old, but still, linking to a .c ? Why not link to the description of the attack and let that be enough. I was not aware /. was a scriptkiddie toolz warehouse. As stated by the article, there are still probably a bunch of machines this will affect, and putting a link directly to LAND.c on the main page probably isnt such a good idea. Whats next, root kits?
/. don't know how to use a search engine?
Honestly. Why don't you just stick your head in the ground every time there's a problem. If you don't see it, it can't be real.
C'mon. How much more difficult is it to go to google, type in "land.c" and get the source yourself?
Do you honestly think people visiting
Besides, any good system administrator has to assume that every user out there has access to the latest, greatest, and most sophisticated tools to get into their systems.
And this is an 8 year-old exploit to boot.
OH NOES! He linked to the h4x0r f13lz! Whut k4nz W3 DOOZ?! C4llz 0wtz t3h wh4mbul4nc3!!!11!!
It shouldn't matter a single bit what gets linked to. The information is out there, anyone who wants to find it will. You can't try and suppress it. And to say that linking to it makes it easier... what did I just say about search engines? Oh gee, I've been saved a whole 5 seconds from going to google and finding it myself. Maybe all windows machiens will be patched within that time?
I'm not a programmer, so looking through a C file isn't likely to give me any useful information, unless it's in comments at the beginning of the code. What's more, I imagine even programmers would rather just hear a summary than have to sit there and look through a bunch of code to figure out what it does.
/. stories, link to relivant and if possible, concise descriptions of terms that people are likely to be unfarmilar with. If you want to provide a link to source, do it seperatly and note it as such.
I mean ethical issues aside, it's just not that helpful to most people. I'm sure most people though "WTF is a LAND attack?" and cliked on the link to see. Getting a C file, is probably not the answer they wanted, espically given that it doesn't seem to be transfering, so I can't even see if it has useful comments or not.
When doing
I think the point is that this DOS exploit is so easy using one machine that it's begging for kiddies to do it.
I know the land attack is old, but still, linking to a .c ? I was not aware /. was a scriptkiddie toolz warehouse.
Not only that, it was unlabeled. That means anybody who follwed the link now has a copy of the malware in their machine's webcache, minimum. And if they saved it (to keep the list of vulnerable configurations, for example) they have the malware itself.
This simultaneously puts a bunch of slashdot readers at legal risk (from false prosecution and/or in-court character assasination, based on evidence from a siezed computer) and gives real baddies plausible deniability.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This isn't funny, it's sad. People have been so brainwashed by MS that they believe it's normal for machines to not be safe if they have a direct internet connection.
I am trolling
That's a list of operating systems from 1997, taken out of an exploit from 1997. Linux 2.0.30? Novell 4.11? Solaris 2.5.1?
The vulnerability was made public SEVEN YEARS AGO. The exploit has been around longer than that.
...either that or you're in desperate need of a Tardis.
.. oh. wait. no it's not... this is /.)
The only thing that worries me is about the way MICROSOFT handles computer security.
Please remove your head from your ass before posting inane comments.
(how the original post was modded "insightful" is utterly beyond me
Would all you morons shouting about firewalls shut up for thirty seconds and consider the following scenario:
User is in big corp behind firewall.
User receives email claiming to be something or other.
User runs attachment.
All 'doze boxes in big corp stop working.
Firewalls are (a) not the answer to all crap coding and (b) not perfect solutions even so.
Justin.
You're only jealous cos the little penguins are talking to me.
I understand your actual position in the decision making but with no security at all like you describe, your computers and network have far more issues then a land attack to worry about. Be professional about it and voice your interests and concerns to the higher ups. When the shit hits the fan, you may get recognized as someone that should be at a higher position because you have an understanding and are very proactive. That is if you are actualy an employee there, if you are a student, the experience will help either way. Doing exactly what I described was a major reason I am now the Network Engineer at my current employer when I started as a phone monkey only a few years ago.
Everytime MS has a security bug that causes millions in damage, MS gets a little bit more egg on their face.
So now we have Bill Gates and co. coming out and saying, "Windows is our #1 priority." Everyone feels better, because hey... Bill's on the case right?
Then, out of left-field, it turns out that Windows is vulnerable to an exploit that's practically ancient in the biz. And what if you can get through the firewall somehow? Or what if you're cruising around wireless networks on a laptop?
This kind of one-shot lockup is something from the dark ages of computing. Everyone's confidence in MSshould be lowered even further.
Slashdot. It's Not For Common Sense
The idea behind a server (such as the affected W2K3 server) being connected to a network is to provide a service to the clients. If the machine is not fit to provide services to the network, might as well go back to the store and ask for a reimbursment and exchange to XP workstation.
The only safe way to safely run this server is to place it behind a SPI firewall. Packet filters will have a hard time detecting and blocking this kind of attack, you will need a full blown SPI to defend and block against these attacks.
SMCs, Linksys and other consumer level firewall seem to be vulnerable to this thing, the only thing that might save your server is the NAT they might provide. Of course if you are running your server on a public routable IP, then you better start thinking of running a serious setup there.
My other OS is the MCP!
ooh... tactless, but funny. it's the kind of funny that makes us laugh at helen keller and dead baby jokes.
Many corporate networks only protect the connection between the Internet and the LAN, and it only takes one sales guy to bring in a breached laptop to topple this type of security. I've seen this happen quite often.
-- I bought this SIG on ebay.
It doesn't need the firewall to be disabled. It just needs an open port. Many machines have some ports open for things like p2p. The summary should either not mention this at all or mention this in its entirity. Just saying that the firewall needs to be disabled is misleading (at least for some/most people).
You might forget that MS is not a security company.
True, but this is like excusing someone who fits front doors after they fit a load which have no locks (and are marketted as having locks) because they're not a security company, just a front door company.
You tell them they should focus more on security than making a GUI that can be used equally well if you have perfect vision or are blind or anywhere in between.
Having recently installed Windows XP for some testing (the last version of Windows I used was Win98) I can tell you that the Windows XP interface is absolutely horrendous - Win98's was actually reasonably intuitive but I can't say the same about XP. Infact after having to set up XP I have come to the conclusion that anyone who claims XP is more userfriendly than a modern Linux distribution is sadly mistaken.
this vulnerability happened after SP2 was released.
Uh.. huh?!? This is a vulnerability that was known about in a number of operating systems and fixed in Linux in the kernel 2.0 days...
MS has been working a lot on connectivity over the last year or so with some protocol enhancements and increased IPv6 support.
Ok, I actually _use_ IPv6, both on my internal network and on the internet at large. After hearing that MS had implemented a wonderful IPv6 stack I tried it out (XP SP2)... Imagine my surprise when I found that yes, there is a wonderful shiny IPv6 stack, but it's almost completely useless since none of the standard MS services actually support IPv6 at all. Thats right, you can't do any stuff like terminal services (RDP) or file sharing (SMB/CIFS), etc over IPv6. By comparison, Linux had a good IPv6 stack in 1998 and most services now support it natively (exceptions are NFS and CUPS).
So no, I can't accept the idea that MS are slacking on security because they're at the forefront of IPv6 development since they're not even at the level Linux's IPv6 support was at 7 years ago. And even if this was a reason for them slacking on the security side, security is _the most important thing_ to have on a networked system, so it's still not an excuse.
I certainly hope you're happy with your front door that has a pretend painted-on lock.
http://blog.nexusuk.org