Bugtraq: Windows Server 2003 and XP SP2 LAND attack vulnerability
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Bugtraq: Windows Server 2003 and XP SP2 LAND attack vulnerability

  1. #1
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130

    Bugtraq: Windows Server 2003 and XP SP2 LAND attack vulnerability

    Browsing bugtraq "news" (in fact on insecure.org), i ve found this:
    http://seclists.org/lists/bugtraq/2005/Mar/0112.html
    Funny. Is this problem introduced on Windows XP by SP2 or it was there previously and i didnt notice? i swear that MS fixed this problem years ago.
    Altough is a severe error (bad problem tracking) i dont think we need to worry about that, since we use to run Windows protected by a firewall.
    Or am i wrong?
    Maybe someone from inside can explore this.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    The folks over at SANS had some interesting insight into it:

    http://isc.sans.org//index.php

    I tested it (you have to use a port that really is listening) and while it didn't crash my test computer, it did spike the CPU like no tomorrow. Oddly enough home edition isn't vulnerable...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Yeah I tested it too...against a Windows Server 2003 and it took the CPU to 98-100% and basically made the box unusable. I also tested it against a Windows XP SP2 box and found it didn't spike the CPU but did cause the box to be unstable and had to reboot to recover.

    The CPU spiking on the 2003 box only spiked during the attack...once it was done the CPU went back to normal.

    What's amazing is that this type of attack was around in the late 1990's but the vuln went away because OS's were fixed...where in the hell was M$ when they tested these new OS's against OLD attacks. And to find that XP SP2, which was specifically developed with security in mind, is vulnerable....unbelievable.

    I'm amazed.

  4. #4
    the guys post is dated March 5/05. today it just monday. it might be too soon to see a response. give it til mid week @ earliest.

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Originally posted here by Jebo Majku
    the guys post is dated March 5/05. today it just monday. it might be too soon to see a response. give it til mid week @ earliest.
    Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community.
    It looks like that MS was informed and just give a s.. to it. After 7 days without a response, he just informed the comunity. Fair enough for me.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by Jebo Majku
    the guys post is dated March 5/05. today it just monday. it might be too soon to see a response. give it til mid week @ earliest.
    So you're saying 8 years isn't enough time to develop a patch???? LOL This attack was seen back in 1997 and my beef with M$ is why are their new O/S's vulnerable to this legacy exploit.

    Posted by cacosapo:
    It looks like that MS was informed and just give a s.. to it. After 7 days without a response, he just informed the comunity. Fair enough for me
    'oh, you wanted the patch to be regression tested too?'
    I disagree...7 days is NOT enough time to develop and test a patch. This has been hashed out here at AO many times but I'm a security admin/mgr as well as ex-administrator and while I want full disclosure, there are boundaries that need to be kept.

    The good news is that most firewalls (if not all) and routers have IP address spoofing protections so they aren't vulnerable to a LAND attack.

    You want your worms chocolate covered or plain?

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    disagree...7 days is NOT enough time to develop and test a patch.
    Sorry but you misunderstood my statement. What i said (or mean to) is "It is a very old bug and MS already fixed it on previously O.S.. And since MS (according to the guy) didnt reply anything, it was the best thing to do"
    Why i said that?
    - Because the error is easy to reproduce
    - Because MS already patched it before
    - Due to this MS should AT LEAST replied to the guy "Hey, we reproduced the error on the Lab and you are right. We are producing an emergency patch for (some date) and we would like you to keep this bug out of the public domain until (some date)".

    is it too hard for MS?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I went through the same ordeal with MS about a week ago. I reported an old ass vulnerability, gave them 2 or so weeks to do something and got nothing. I released it to Bugtraq and had a few piss ants bitching that I wasn't reponsible with my disclosure.

    Anyway, rant over.

    I tested this too and scripted it with TCPReplay and BLAMMO, all W2K3 servers (fully patched) in my rack were locked dead through the actions of a PII linux lappy. Gotta love it.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Member
    Join Date
    Oct 2002
    Posts
    81
    I'm not sure this is that big of a deal, while it is legacy, when i tested it on a coworkers laptop just to screw around at the office, It really didn't do anything. While i didn't continually blast him with packets, while his CPU was at 100%, it didn't completely effect his usability, and as far as the instability comment that was made either here or on the SANS site, we haven't noticed that either.

    All in all, this is lame. While scripting it and getting inside a firewall could cause a problem, all you have to do is shut down the offending computer, or unplug it from the network, and all is back to normal. I didn't read the post above me when i was typing this, but in response to that, isn't it a simple IPSec rule to disable that? Sorry I don't manage too many servers, and their Win2k so I'm not in position to talk. This is just an outside perspective.

    While alot of home users might not be behind a firewall, a common instinct with most people is to shut down the computer when it starts getting slow. If the attacker keeps blasting them with packets, their next major reaction is to either call someone, or simply shut it down and not go back to it for a day or at least a few hours. by then, the attacker is probably bored, or thinks that he accomplished his feat and goes on to harass someone else.

    While I agree that its 8 years old, and its freakin stupid its there in the first place, all in all, this really isn't all that much to be worried about. I think the major impact of this is that, who knows what other sploits from back in the day still work. If they let one slip thru, then their could be more, and they could be worse.

    Maybe i'm just missing something. And I really hate MS, but maybe they tested in the lab, and came to the same conclusion i did. this is lame. It serves no better purpose than to screw with people at the office for fun, or to cause some trouble in LAN parties.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    While there clearly is a vulnerability I don't think anyone in their right mind would be running mission critical apps on vulnerable software that isn't protected by a firewall that would recognize the spoofed packet and drop it. So, other than fun and games or a malicious user who can be severly beaten with large sticks it's really a non-entity in the world of vulnerabilities and therefore I'm sure M$ is treating it as just that.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •