Windows 2003 and XP SP2 Vulnerable To LAND Attack

An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.

Only win ?

[mirko]

Are only Windows platform vulnerable or will these attacks be successful on other non-ms platforms ?

Re:Only win ?

[redJag]

There is a big list before the provided source code.

Re:Only win ?

OS X is invulnerable to all attacks, because it's made of magic.

Re:Only win ?

[AKnightCowboy]

OS X is invulnerable to all attacks, because it's made of magic.

*snort*. You owe me a new keyboard.

/Mac user

Re:Only win ?

[ip_fired]

I found some interesting things while playing around with this.

1st: The checksum code is always off by 3 in that file. Subtract 3 from the value before you take the complement and it'll be right. (this is a kludge, I haven't taken the time to actually figure out why it's wrong yet)

2nd: It causes 100% CPU usage on a WinXP SP2 box for about 3 seconds for each packet sent!!!

3rd: It can be blocked (and probably IS blocked) by most routers since the source and destination addresses are the same.

I got permission to send one of these packets to my friends Win2003 box and as far as we can tell, it didn't do anything. I don't know if the packet is getting through though.

4th: Also, I retested the Mac, and again, the malformed packet did nothing.

Little known fact

[beatdown]

It is also subject to sea and air attacks.

Re:Little known fact

[spektr]

True, the US Navy use Windows don't they?

They had put it on an aircraft carrier and navigated it away from shore immediately, when they heard about the LAND exploit. To their delight, it stayed pretty stable in the middle of the sea.

Re:Little known fact

The Navy usually makes sure its ports are secure.

Re:Little known fact

Yes, but they call them "port holes".

Re:Little known fact

[jd]

This is probably going to crack you up. Yes, they do. For secure communications, application serving, and (for the "intelligent" ships) navigation systems.

There are people in the US Navy who are actively interested in Linux, but they are heavily outnumbered by fans of Windows and SCO Unix.

Re:Little known fact

[darkpixel2k]

Well...usually.

There was this one time...in Hawaii...

Re:Little known fact

[harrkev]

According to the Village People, the Navy usually has some back doors.

wow

[Quasar1999]

In other news, my computer is also prone to failing if I microwave it... hit it with a hammer, or attempt to install water cooling while I'm drunk...

Re:wow

Problem:
The other thing Microsoft won't tell you is that if paramilitants do a home invasion, they can take your machine right out of the house and have access to all data and the entire network, for that matter.

Solution: Install complex home alarm system, man traps, CCTV, and acquire armed guards, string up razor wire and dig tunnel system deep in the jungle.

Ethic:
I told microsoft that their computers were totally unprotected from physical theft by armed gangs of paramilitants and received no response. I am now sharing this with the community.

Re:wow

[Tassach]

There is NO legitimate reason whatsoever for a modern, patched operating system to be vulnerable to a simple, 8-year-old DOS attack. What's next, reintroduction of the Ping Of Death vulnerability? This is sloppy quality control, pure and simple.

This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Microsoft's corporate culture places on security. Hasn't anyone at Microsoft ever heard about regression testing?

Microsoft has consistantly demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to Microsoft products.

Re:wow

[Maestro4k]

but the reality is this vulnerability happened after SP2 was released.

• Actually no, this vulnerability showed up 8 years ago and was patched in Windows 98 I believe. So this isn't something new that Microsoft is just now learning about and need to fix, it's something quite old. Since the vulnerability came out ME, 2000 and XP all were released.

Perhaps they setup a firewall to allow them to fix things underneath without totally destroying everyone's networks?

• If you're trying to say that MS feels that having the firewall on by default in XP SP2 is a shortcut for fixing problems, well, I certainly HOPE they're not taking that attitude. Yes the firewall needs to be on by default for better security, but they should have tested the OS against
• known vulnerabilities with the firewall off to be certain they wouldn't work. Failure to do so shows some serious problems in MS land.

When you have as large of an installbase as MS does you can't shift things right away or you will lose customers, you have to make changes slowly and incrimentally so that users don't get confused.

• You seem royally confused about what this actually is. Land is a DOS attack that is caused by sending a SYN packet to an open port on a machine with the source and destination addresses the same. This isn't something that is _needed_ by any app, it's a TCP/IP oddity, a packet that would normally never occur. Back 8 years ago it was understandable that MS and others didn't anticipate this attack, but after 8 years there's not any excuse.

• Simply this is not something users are going to notice the lack of. They'll certainly notice it's there if their machines gets hit with a Land attack though. It is NOT a case of MS trying to make changes slowly to not confuse customers, it's a big blunder.

MS has been working a lot on connectivity over the last year or so with some protocol enhancements and increased IPv6 support. I imagine things are going to get worse before they get better, but don't kid yourself, they are working on fixing it.

• Frankly if their "working on fixing it" involves re-introducing exploits first identified and fixed 8 YEARS ago then I'm certainly not going to hold my breath that they'll ever fix anything.

• Ultimately though your defense of MS is unwarranted. They publically declared a while back (1-2 years now I think) that security was going to be a primary focus for them. This was pre-SP2 days. That they re-introduced a vulnerability from eight years ago speaks great volumes about that focus. If MS wants to claim they're security-focused now they deserve the lumps they get for foolish mistakes like this.

News?

"Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on."

Machines that are not protected are vulnerable. Well, that isn't really news is it? Sounds pretty silly to me.

Re:News?

[A+beautiful+mind]

You forgot something:

A box running no services should be not vulnerable of any dos except brute force even without a firewall. A firewall shouldn't be a solution to poor design/implementation problems and code bugs. That is simply not working. What if someone gets through the firewall?

Re:News?

[InsaneGeek]

The LAND attack requires an open port, so by definition if the system isn't running any services it will have no open ports and not be vulnerable to this attack.

Re:News?

[JustForMe]

Windows Server must be running some services, I guess..

Re:News?

[fsck!]

Generally speaking, just about any Windows instance is going to gave at lease these ports open:

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-07 11:45 EST
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

So this could reak havoc on business or residential networks. But then, I guess this is what you get for giving your users or peers an inapropriate level of trust.

Windows

Only one remote hole in the kernel FOR eight years!

Wait...

[Gorffy]

You mean to tell me that XP and 2k3 contain buggy legacy code? that IS news!

What kind of software dev process do MS use?

[Ex+Machina]

Isn't this EXACTLY what regression tests were designed for?

Re:What kind of software dev process do MS use?

Regression testing makes sure that things that used to work in the old version still works in the new version, so I'd say that windows is passing its regression tests with flying colors ;)

Re:What kind of software dev process do MS use?

[KDN]

Several jobs ago, the I did software development. The manager didn't like how every time I found a significant bug I added it to a test library that I kept and ran against every version of the code that I was about to put out to the group. His thought was "the odds of someone making the same mistake twice are non existent". One time he told me to put the code out before it was done the regression tests. Sure enough, crash and burn. And yes, my regression tests later caught the bug. Never again.

As a further indication that I was right, I put an interface around the public interface of my libraries to validate all the parameters and actions. I noticed some people would make the same error so much that I even personalized some of the error messages. Like: "Your passing a string instead of an address John", and "Your reading from a closed object Kevin".

Re:What kind of software dev process do MS use?

[Phanatic1a]

Or even "You're not using contractions properly, KDN"?

Only one thing though...

[MtViewGuy]

Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.

...Isn't the Internet Connection Firewall that comes with Windows XP SP2 turned on by default when you install it in the first place?

Anyway, given all the warnings about Internet security in the last five years, the majority of users will already have downloaded and installed firewall programs such as ZoneAlarm.

Re:Only one thing though...

[eviltypeguy]

If you think the majority of users are security minded like that, then why do you think the majority of users have so many problems that could be prevented in the first place by firewalls? Sorry, but my experience has been the opposite of your fairy tale.

Windows running slow?

[hackwrench]

It may be a little thing called a firewall. A firewall is a spyware-like little piece of software that constantly pings a special server called a firedoor so that spammers hackers, and their ilk know when your computer is available on the internet. Unfortuntely Microsoft refuses to release a patch for this thing but a piece of software called a backdoor can be used to prevent the firewall from doing its dirty work. Download one today!

Guess we need Boston Church XP

[kakos]

01 if by LAND, 10 if by SEA

On a more serious note..

[tabkey12]

Blanket Attacks (like blaster, where every windows computer on the net with windows sharing on is hit about 6 times an hour) are usually only viable when the Default configuration is insecure.

At least with SP2 there is some basic security in terms of the firewall being on by default.

Still, never thought I'd see a slashdot article linking to a page about Trumpet Winsock in 2005!

Safest OS

[Virtual+Karma]

Windows is one of the safest OS around (and to keep it that way it is advised that the computer should not be connected to internet or any other network for that matter)

Microsoft Notified

[Nom+du+Keyboard]

Ethic:
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community.

Of course they didn't reply. They're under LAND attack, and your message is caught in the server. You must have sent them a proof-of-concept, so what did you expect?

What is the LAND attack?

[fizbin]

Quoting from http://www.insecure.org/sploits/land.ip.DOS.html:

i recently discovered a bug which freezes win95 boxes. here's how
it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
up.

So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.

Open ports

[ca1v1n]

Of course, some windows machines need to have open ports, like, say, if they're offering *services*. So really, your mundane desktop need not be affected. It's the production server you should be quite terrified about.

Can anyone confirm?

A friend showed this to me a few days ago and I was unable to reproduce the attack over the LAN, both with my own code and some code of the original LAND found with google. Both were run from linux by opening a raw socket, filling in ip and tcp headers including checksums using the structs in ip.h and tcp.h, and sending with sendto(). In both cases ethereal would show the packet as recieved but the machine would operate normally.

Re:Can anyone confirm?

[bluelip]

The problem might be w/ your code.

A test listed in an above comment of mine worked for my box. DL hping2 and try:

hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd

Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test

Oh c'mon, that isn't fair.

[Billy+Bo+Bob]

8 years is hardly enough to figure out how to patch windows.

Besides, like all everyone here says, it is the users own fault for not using a firewall. Having an expectation that 8 yr old attacks should be fixed is just unreasonable.

WTF, are you all on crack?

Retro!

[bigtallmofo]

I remember the days of Ping of Death, Land, Teardrop, New Tear, Bork, etc.

Now that my WinXP SP2 system is susceptible to land again, it's getting me into a nostalgic mood. I think I'll go play Ms PacMan on my MAME cabinet now.

Re:Not that big of a deal

[itsnotthenetwork]

Nobody deserves to get their Boxen hacked, even if they don't always use the best available defenses.
That is like saying the rape victim is at fault "'cause she looked so sexy"

Re:Not that big of a deal

[Dimensio]

I work in a university. Policy is not to have the Windows firewall turned on because it supposedly conflicts with a few needed applications. There is no hardware firewall whatsoever between the internal network and the outside world.

Oh, and standard policy is to have user accounts set up as Administrator at all times.

Cleaning up infected machines is a never-ending endeavour. Oddly, the few departments run by competent admins (as in, not the university's IT department) where user accounts are set up only as Users (among other things) don't have any security problems at all. I wonder why..

Oh, and before anyone blames me: I'm a grunt with no authority whatsoever. I've voiced my objections to the way things are run, but I can do little more than that.

Everyone has good points, and yet....

[writermike]

Experts say servers are vulnerable to the infamous CAFE attack. One drop can take down an entire network!

Granted you have to have a computer next to a cup of coffee for this to work, but MANY PEOPLE DO!!!!!!!!!!

Want to do your own testing?

[bluelip]

Grab a copy of hping2 and try:

hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd

Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test

MOD PARENT UP !

[mirko]

BSDI 2.1 (vanilla) IS vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE IS vulnerable
FreeBSD 2.2.5-RELEASE IS vulnerable
FreeBSD 2.2.5-STABLE IS vulnerable
FreeBSD 3.0-CURRENT IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 6.2 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
NetBSD 1.2 IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Solaris 2.5.1 IS vulnerable (conflicting reports)
SunOS 4.1.4 IS vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable

"LAND" war in Asia ...

[YetAnotherName]

Vizzini: You only think I guessed wrong - that's what's so funny. I switched glasses when your back was turned. Ha-ha, you fool. You fell victim to one of the classic blunders, the most famous of which is "Never get involved in a land war in Asia", but only slightly less well known is this: "Never go in against a Sicilian, when *death* is on the line.". Hahahahahah. [Vizzini falls over dead]

(Yeah, off topic, I don't care.)

And source isn't useful to many people

[Sycraft-fu]

I'm not a programmer, so looking through a C file isn't likely to give me any useful information, unless it's in comments at the beginning of the code. What's more, I imagine even programmers would rather just hear a summary than have to sit there and look through a bunch of code to figure out what it does.

I mean ethical issues aside, it's just not that helpful to most people. I'm sure most people though "WTF is a LAND attack?" and cliked on the link to see. Getting a C file, is probably not the answer they wanted, espically given that it doesn't seem to be transfering, so I can't even see if it has useful comments or not.

When doing /. stories, link to relivant and if possible, concise descriptions of terms that people are likely to be unfarmilar with. If you want to provide a link to source, do it seperatly and note it as such.

UNLABELED too.

[Ungrounded+Lightning]

I know the land attack is old, but still, linking to a .c ? I was not aware /. was a scriptkiddie toolz warehouse.

Not only that, it was unlabeled. That means anybody who follwed the link now has a copy of the malware in their machine's webcache, minimum. And if they saved it (to keep the list of vulnerable configurations, for example) they have the malware itself.

This simultaneously puts a bunch of slashdot readers at legal risk (from false prosecution and/or in-court character assasination, based on evidence from a siezed computer) and gives real baddies plausible deniability.

Re:I know its been around, but...Linking to source

[__aaijsn7246]

Security through obsecurity doesn't work. Here's the important part of the source :) Basically it just sends a SYN packet which has the target's address as the source and the destination (same port as well).

---snip---
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=siz eof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->t tl=255;
ipheader->protocol=IP_TCP;
ipheader->sad dr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_a ddr.s_addr;

tcpheader->th_sport=sin.sin_port;
tcpheader->th _dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1 C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_of f=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);

bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr. s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_ addr;
pseudoheader.protocol=6;
pseudoheader.leng th=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
---snip---

At least Windows NT is supposedly patched.

[Deathlizard]

http://support.microsoft.com/default.aspx?scid=kb; en-us;165005

Re:so what?

[m50d]

This isn't funny, it's sad. People have been so brainwashed by MS that they believe it's normal for machines to not be safe if they have a direct internet connection.

Mod parent down

[Ulric]

That's a list of operating systems from 1997, taken out of an exploit from 1997. Linux 2.0.30? Novell 4.11? Solaris 2.5.1?

Re:Not that big of a deal

[Ulric]

Anybody with a web server must accept incoming syn packets. If they are "protected" by something like:

permit tcp any host 1.2.3.4 eq 80

Then they are probably vulnerable.

exploit

[imipak]

Courtesy of the fine (French) folk at k-otik.org... an exploit.

Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?

Solaris 2.5.1? Yes, it's still about.

[hot_Karls_bad_cavern]

Believe it or not, some folks still use Solaris 2.5 and 2.6 versions. I used to work at a university whose physics department was fortunate enough to have two electron scanning microscopes, one old and huge and one new, smaller one. The old one had controlling software that was custom, to say the least, and written by a German firm that's been out of business for a few years now.

Guess what OS the software ran on? And what hardware connections were custom to the old Sparc-based controller the ran the thing? Wohoo! Old Solaris was the only way it'd still 'go'.

Well, sneaker-net wasn't going to work for the grads that were abroad and well, the profs wanted network access, so they were going to get it. Short of the long, we had to build, tweak and mess with all kinds of junk (tcpwrappers, ssh, ssl) before it went back on the network (yes, that donkey had been hacked before). So yes, there's lots of old Solaris still out there.

And before anyone asks, yes I finally quit that job due to *not* being able to secure things like this. Authenticating gateways, openvpn, pf on Solaris (boss would *never* let me put that on all the machines we cared for ... unbelievable really), moving *away* from Sendmail, installing Solaris machines with everything locked down, etc, etc). Drove me fucking mad.