Bugtraq: Windows Server 2003 and XP SP2 LAND attack vulnerability

[cacosapo]

Browsing bugtraq "news" (in fact on insecure.org), i ve found this:
http://seclists.org/lists/bugtraq/2005/Mar/0112.html
Funny. Is this problem introduced on Windows XP by SP2 or it was there previously and i didnt notice? i swear that MS fixed this problem years ago.
Altough is a severe error (bad problem tracking) i dont think we need to worry about that, since we use to run Windows protected by a firewall.
Or am i wrong?
Maybe someone from inside can explore this.

[nebulus200]

The folks over at SANS had some interesting insight into it:

http://isc.sans.org//index.php

I tested it (you have to use a port that really is listening) and while it didn't crash my test computer, it did spike the CPU like no tomorrow. Oddly enough home edition isn't vulnerable...

[ric-o]

Yeah I tested it too...against a Windows Server 2003 and it took the CPU to 98-100% and basically made the box unusable. I also tested it against a Windows XP SP2 box and found it didn't spike the CPU but did cause the box to be unstable and had to reboot to recover.

The CPU spiking on the 2003 box only spiked during the attack...once it was done the CPU went back to normal.

What's amazing is that this type of attack was around in the late 1990's but the vuln went away because OS's were fixed...where in the hell was M$ when they tested these new OS's against OLD attacks. And to find that XP SP2, which was specifically developed with security in mind, is vulnerable....unbelievable.

I'm amazed.

[Jebo Majku]

the guys post is dated March 5/05. today it just monday. it might be too soon to see a response. give it til mid week @ earliest.

[cacosapo]

Originally posted here by Jebo Majku
the guys post is dated March 5/05. today it just monday. it might be too soon to see a response. give it til mid week @ earliest.

Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community.

It looks like that MS was informed and just give a s.. to it. After 7 days without a response, he just informed the comunity. Fair enough for me.

[ric-o]

Originally posted here by Jebo Majku
the guys post is dated March 5/05. today it just monday. it might be too soon to see a response. give it til mid week @ earliest.

So you're saying 8 years isn't enough time to develop a patch???? LOL This attack was seen back in 1997 and my beef with M$ is why are their new O/S's vulnerable to this legacy exploit.

Posted by cacosapo:
It looks like that MS was informed and just give a s.. to it. After 7 days without a response, he just informed the comunity. Fair enough for me

'oh, you wanted the patch to be regression tested too?'
I disagree...7 days is NOT enough time to develop and test a patch. This has been hashed out here at AO many times but I'm a security admin/mgr as well as ex-administrator and while I want full disclosure, there are boundaries that need to be kept.

The good news is that most firewalls (if not all) and routers have IP address spoofing protections so they aren't vulnerable to a LAND attack.

You want your worms chocolate covered or plain?

[cacosapo]

disagree...7 days is NOT enough time to develop and test a patch.

Sorry but you misunderstood my statement. What i said (or mean to) is "It is a very old bug and MS already fixed it on previously O.S.. And since MS (according to the guy) didnt reply anything, it was the best thing to do"
Why i said that?
- Because the error is easy to reproduce
- Because MS already patched it before
- Due to this MS should AT LEAST replied to the guy "Hey, we reproduced the error on the Lab and you are right. We are producing an emergency patch for (some date) and we would like you to keep this bug out of the public domain until (some date)".

is it too hard for MS?

[thehorse13]

I went through the same ordeal with MS about a week ago. I reported an old ass vulnerability, gave them 2 or so weeks to do something and got nothing. I released it to Bugtraq and had a few piss ants bitching that I wasn't reponsible with my disclosure.

Anyway, rant over.

I tested this too and scripted it with TCPReplay and BLAMMO, all W2K3 servers (fully patched) in my rack were locked dead through the actions of a PII linux lappy. Gotta love it.

[killerbeesateme]

I'm not sure this is that big of a deal, while it is legacy, when i tested it on a coworkers laptop just to screw around at the office, It really didn't do anything. While i didn't continually blast him with packets, while his CPU was at 100%, it didn't completely effect his usability, and as far as the instability comment that was made either here or on the SANS site, we haven't noticed that either.

All in all, this is lame. While scripting it and getting inside a firewall could cause a problem, all you have to do is shut down the offending computer, or unplug it from the network, and all is back to normal. I didn't read the post above me when i was typing this, but in response to that, isn't it a simple IPSec rule to disable that? Sorry I don't manage too many servers, and their Win2k so I'm not in position to talk. This is just an outside perspective.

While alot of home users might not be behind a firewall, a common instinct with most people is to shut down the computer when it starts getting slow. If the attacker keeps blasting them with packets, their next major reaction is to either call someone, or simply shut it down and not go back to it for a day or at least a few hours. by then, the attacker is probably bored, or thinks that he accomplished his feat and goes on to harass someone else.

While I agree that its 8 years old, and its freakin stupid its there in the first place, all in all, this really isn't all that much to be worried about. I think the major impact of this is that, who knows what other sploits from back in the day still work. If they let one slip thru, then their could be more, and they could be worse.

Maybe i'm just missing something. And I really hate MS, but maybe they tested in the lab, and came to the same conclusion i did. this is lame. It serves no better purpose than to screw with people at the office for fun, or to cause some trouble in LAN parties.

[Tiger Shark]

While there clearly is a vulnerability I don't think anyone in their right mind would be running mission critical apps on vulnerable software that isn't protected by a firewall that would recognize the spoofed packet and drop it. So, other than fun and games or a malicious user who can be severly beaten with large sticks it's really a non-entity in the world of vulnerabilities and therefore I'm sure M$ is treating it as just that.