Re: Windows Server 2003 and XP SP2 LAND attack vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
From: <paul14075@xxxxxxxxxxxx>
Date: 8 Mar 2005 13:32:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20050307215532.GA24251@xxxxxxxxxxxxxxxxxxxx>

I can confirm a 15-30 second DoS condition (per packet) on Windows XP 
Professional SP2 (100% up2date with all Microsoft patches).  I tested port 139 
which was open and unfirewalled.  

I found that the IP and TCP header checksums *do* need to be correct in order 
to exploit, and I also found that land.c does not generate valid tcp header 
checksums.

Here's a hex dump of the packet that I used:

0000  00 03 47 c6 88 2c 00 10  5a cc 59 84 08 00 45 00   
0010  00 28 0f 1c 00 00 ff 06  29 21 c0 a8 01 21 c0 a8   
0020  01 21 00 8b 00 8b 00 00  0f 1c 00 00 00 00 50 02   
0030  08 00 14 1e 00 00


paul14075 on adelphia d0t com      
                           


>I would like to hear from someone who can reproduce this. If you can, please 
>send
>details with OS, patches installed, pcaps, etc. not a report of what tools you 
>used
>to create the packet, sniff and replay the results. I've tested this and 
>either my
>machines are magically protected from this attack, or it is invalid (despite 
>what
>the press might say). I'd like some outside corroboration of this attack.
>
>
>On 05-Mar-2005, Dejan Levaja wrote:
>> 
>> 
>> Hello, everyone.
>> 
>> Windows Server 2003 and XP SP2 (with Windows Firewall turned off)  are 
>> vulnerable to LAND attack. 
>> 
>> LAND attack:
>>  Sending TCP packet with SYN flag set, source and destination IP address and 
>> source and destination port as of destination machine, results in 15-30 
>> seconds DoS condition. 
>> 
>> 
>> Tools used:
>>  IP Sorcery for creating malicious packet, Ethereal for sniffing it and 
>> tcpreplay for replaying. 
>> 
>> Results:
>>  Sending single LAND packet to file server causes Windows explorer freezing 
>> on all workstations currently connected to the server. CPU on server goes 
>> 100%. Network monitor on the victim server sometimes can not even sniff 
>> malicious packet. Using tcpreplay to script this attack results in total 
>> collapse of the network.
>> 
>> Vulnerable operating systems:
>> Windows 2003
>> XP SP2
>> other OS not tested (I have other things to do currently ? like checking 
>> firewalls on my networks ;) )
>> 
>> Solution:
>>  Use Windows Firewall on workstations, use some firewall capable of 
>> detecting LAND attacks in front of your servers.
>> 
>> Ethic:
>>  Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO 
>> answer received, so I decided to share this info with security community. 
>> 
>> 
>> Dejan Levaja
>> System Engineer 
>> Bulevar JNA 251
>> 11000 Belgrade
>> Serbia and Montenegro
>> cell: +381.64.36.00.468
>> email: dejan@xxxxxxxxxx
>> 
>

Prev by Date: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
Next by Date: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
Previous by thread: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
Next by thread: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
Index(es):
- Date
- Thread