Re: Windows Server 2003 and XP SP2 LAND attack vulnerability

[Espen "Grndahl" <espen.groendahl () siemens com>]

In-Reply-To: <20050307215532.GA24251 () logos microshaft org>

Hello

I've been able to reproduce this.

I used ipmagic on debian 3.0 and sendt a packet to a fully patched Windows 2003 server running on Vmware ESX server. I 
got a 1-5 sec. 100% load on the CPU on the target server. 1 packet/pr. sec. was enough to keep the CPU on 100% load.

Espen Grøndahl

> Received: (qmail 25355 invoked from network); 8 Mar 2005 04:31:31 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 8 Mar 2005 04:31:31 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 663A42373B4; Mon,  7 Mar 2005 15:12:20 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 30519 invoked from network); 7 Mar 2005 14:39:33 -0000
> Date: Mon, 7 Mar 2005 13:55:32 -0800
> From: "Jon O." <jono () networkcommand com>
> To: Dejan Levaja <dejan () levaja com>
> Cc: bugtraq () securityfocus com
> Subject: Re: Windows Server 2003 and XP SP2 LAND attack vulnerability
> Message-ID: <20050307215532.GA24251 () logos microshaft org>
> References: <20050305181714.22945.qmail () www securityfocus com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> In-Reply-To: <20050305181714.22945.qmail () www securityfocus com>
> User-Agent: Mutt/1.4.1i
> X-No-Archive: yes
> X-Scanned-By: logoscan
>
> All:
>
> I would like to hear from someone who can reproduce this. If you can, please send
> details with OS, patches installed, pcaps, etc. not a report of what tools you used
> to create the packet, sniff and replay the results. I've tested this and either my
> machines are magically protected from this attack, or it is invalid (despite what
> the press might say). I'd like some outside corroboration of this attack.
>
>
> On 05-Mar-2005, Dejan Levaja wrote:
> > Hello, everyone.
> >
> > Windows Server 2003 and XP SP2 (with Windows Firewall turned off)  are vulnerable to LAND attack. 
> >
> > LAND attack:
> >  Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of 
> > destination machine, results in 15-30 seconds DoS condition. 
> >
> >
> > Tools used:
> >  IP Sorcery for creating malicious packet, Ethereal for sniffing it and tcpreplay for replaying. 
> >
> > Results:
> >  Sending single LAND packet to file server causes Windows explorer freezing on all workstations currently connected 
> > to the server. CPU on server goes 100%. Network monitor on the victim server sometimes can not even sniff malicious 
> > packet. Using tcpreplay to script this attack results in total collapse of the network.
> >
> > Vulnerable operating systems:
> > Windows 2003
> > XP SP2
> > other OS not tested (I have other things to do currently ? like checking firewalls on my networks ;) )
> >
> > Solution:
> >  Use Windows Firewall on workstations, use some firewall capable of detecting LAND attacks in front of your servers.
> >
> > Ethic:
> >  Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this 
> > info with security community. 
> >
> >
> > Dejan Levaja
> > System Engineer 
> > Bulevar JNA 251
> > 11000 Belgrade
> > Serbia and Montenegro
> > cell: +381.64.36.00.468
> > email: dejan () levaja com