Windows 2003 and XP SP2 Vulnerable To LAND Attack 534
An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.
Only win ? (Score:4, Interesting)
Re:Only win ? (Score:5, Informative)
MOD PARENT UP ! (Score:4, Informative)
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE IS vulnerable
FreeBSD 2.2.5-RELEASE IS vulnerable
FreeBSD 2.2.5-STABLE IS vulnerable
FreeBSD 3.0-CURRENT IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 6.2 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
NetBSD 1.2 IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Solaris 2.5.1 IS vulnerable (conflicting reports)
SunOS 4.1.4 IS vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
Mod parent down (Score:5, Insightful)
Solaris 2.5.1? Yes, it's still about. (Score:5, Interesting)
Guess what OS the software ran on? And what hardware connections were custom to the old Sparc-based controller the ran the thing? Wohoo! Old Solaris was the only way it'd still 'go'.
Well, sneaker-net wasn't going to work for the grads that were abroad and well, the profs wanted network access, so they were going to get it. Short of the long, we had to build, tweak and mess with all kinds of junk (tcpwrappers, ssh, ssl) before it went back on the network (yes, that donkey had been hacked before). So yes, there's lots of old Solaris still out there.
And before anyone asks, yes I finally quit that job due to *not* being able to secure things like this. Authenticating gateways, openvpn, pf on Solaris (boss would *never* let me put that on all the machines we cared for
Re:Mod parent down (Score:4, Insightful)
It's also clear that (outside of the Microsoft world) newer versions won't suffer the same vulnerability, nor will it be allowed to persist if somehow the same bug does sneak back into the codebase.
I sometimes wonder if there's a single Microsoft shill or fan with an IQ that breaks triple digits
Re:Only win ? (Score:4, Funny)
Since that site appears to be slashdotted, google turned up another one. [clifford.at].
Might as well take down both of them, right?
Re:Only win ? (Score:5, Funny)
Re:Only win ? (Score:5, Funny)
*snort*. You owe me a new keyboard.
Re:Only win ? (Score:4, Interesting)
If anyone is interested, I had to modify the program to get it to work in linux (the structures have changed since this was originally written).
Here is a patch so you can test other OSes.
land.diff [usu.edu]
Curse you slashcode! It won't let me inline the patch. Oh well. Download it if you want it.
Re:Only win ? (Score:5, Informative)
1st: The checksum code is always off by 3 in that file. Subtract 3 from the value before you take the complement and it'll be right. (this is a kludge, I haven't taken the time to actually figure out why it's wrong yet)
2nd: It causes 100% CPU usage on a WinXP SP2 box for about 3 seconds for each packet sent!!!
3rd: It can be blocked (and probably IS blocked) by most routers since the source and destination addresses are the same.
I got permission to send one of these packets to my friends Win2003 box and as far as we can tell, it didn't do anything. I don't know if the packet is getting through though.
4th: Also, I retested the Mac, and again, the malformed packet did nothing.
Little known fact (Score:5, Funny)
Re:Little known fact (Score:3, Funny)
Re:Little known fact (Score:5, Funny)
Re:Little known fact (Score:5, Funny)
There was this one time...in Hawaii...
Re:Little known fact (Score:5, Funny)
Re:Little known fact (Score:5, Funny)
They had put it on an aircraft carrier and navigated it away from shore immediately, when they heard about the LAND exploit. To their delight, it stayed pretty stable in the middle of the sea.
Re:Little known fact (Score:5, Funny)
Re:Little known fact (Score:5, Interesting)
There are people in the US Navy who are actively interested in Linux, but they are heavily outnumbered by fans of Windows and SCO Unix.
wow (Score:5, Funny)
Re:wow (Score:5, Funny)
The other thing Microsoft won't tell you is that if paramilitants do a home invasion, they can take your machine right out of the house and have access to all data and the entire network, for that matter.
Solution: Install complex home alarm system, man traps, CCTV, and acquire armed guards, string up razor wire and dig tunnel system deep in the jungle.
Ethic:
I told microsoft that their computers were totally unprotected from physical theft by armed gangs of paramilitants and received no response. I am now sharing this with the community.
No Sir, It's not similar (Score:2)
Re:wow (Score:3, Insightful)
Re:wow (Score:5, Insightful)
This incident is just another example which demonstrates the importance (or more accurately, the lack thereof) that Microsoft's corporate culture places on security. Hasn't anyone at Microsoft ever heard about regression testing?
Microsoft has consistantly demonstrated that, regardless of what their press releases say, security is NOT one of their priorities. People need to start waking up and realizing this before they entrust their critical infrastructure to Microsoft products.
Re:wow (Score:4, Funny)
Re:wow (Score:5, Interesting)
- Actually no, this vulnerability showed up 8 years ago and was patched in Windows 98 I believe. So this isn't something new that Microsoft is just now learning about and need to fix, it's something quite old. Since the vulnerability came out ME, 2000 and XP all were released.
Perhaps they setup a firewall to allow them to fix things underneath without totally destroying everyone's networks?- If you're trying to say that MS feels that having the firewall on by default in XP SP2 is a shortcut for fixing problems, well, I certainly HOPE they're not taking that attitude. Yes the firewall needs to be on by default for better security, but they should have tested the OS against
- known vulnerabilities with the firewall off to be certain they wouldn't work. Failure to do so shows some serious problems in MS land.
When you have as large of an installbase as MS does you can't shift things right away or you will lose customers, you have to make changes slowly and incrimentally so that users don't get confused.- You seem royally confused about what this actually is. Land is a DOS attack that is caused by sending a SYN packet to an open port on a machine with the source and destination addresses the same. This isn't something that is _needed_ by any app, it's a TCP/IP oddity, a packet that would normally never occur. Back 8 years ago it was understandable that MS and others didn't anticipate this attack, but after 8 years there's not any excuse.
MS has been working a lot on connectivity over the last year or so with some protocol enhancements and increased IPv6 support. I imagine things are going to get worse before they get better, but don't kid yourself, they are working on fixing it.Simply this is not something users are going to notice the lack of. They'll certainly notice it's there if their machines gets hit with a Land attack though. It is NOT a case of MS trying to make changes slowly to not confuse customers, it's a big blunder.
Ultimately though your defense of MS is unwarranted. They publically declared a while back (1-2 years now I think) that security was going to be a primary focus for them. This was pre-SP2 days. That they re-introduced a vulnerability from eight years ago speaks great volumes about that focus. If MS wants to claim they're security-focused now they deserve the lumps they get for foolish mistakes like this.
Re:wow (Score:3, Interesting)
Even worse, maybe the leak was caused because people were shoving large objects down there.
In this case, the large object was a land attack, so fixing the pipe and noting that shoving a large object through the pipe did not break it would be expected. However, windows is not a leaky pipe, and it doesn't suffer from cold weather or any other sort of physical degradation. Put simply, this is a known vulnerability that should have been tested as part of QA. It wasn't.
Re:wow (Score:3, Interesting)
Re:wow (Score:3, Interesting)
Every company that does computer work has to be a security company now. Many companies are completely dependent on computers and most of their crown jewels are stored on them. Many home users have sensitive banking information stored on their computers. Building broken software that allows system disruption or data to be stolen will loose customers. Part of my job is to migrate systems from Windows to Linux, specifically because of security and stabil
Re:wow (Score:3, Insightful)
True, but this is like excusing someone who fits front doors after they fit a load which have no locks (and are marketted as having locks) because they're not a security company, just a front door company.
You tell them they should focus more on security than making a GUI that can be used equally well if you have perfect vision or are blind or anywhere in between.
Having recently installed Windows XP for some testing (the last version of Windows I used
News? (Score:5, Insightful)
Machines that are not protected are vulnerable. Well, that isn't really news is it? Sounds pretty silly to me.
Re:News? (Score:5, Insightful)
A box running no services should be not vulnerable of any dos except brute force even without a firewall. A firewall shouldn't be a solution to poor design/implementation problems and code bugs. That is simply not working. What if someone gets through the firewall?
Re:News? (Score:3, Insightful)
Then you get attacked I guess but I have a feeling that if the firewall is up the would-be attackers would move on to a more vunerable attacker.
Re:News? (Score:3, Insightful)
A system is only that strong as it's weakest component
If you put that on a platform level from the viewpoint of a software developer organization it clearly means that you need to code the system in a way t
Re:News? (Score:3)
Re:News? (Score:5, Informative)
Re:News? (Score:5, Funny)
Re:News? (Score:3, Funny)
Re:News? (Score:5, Insightful)
Generally speaking, just about any Windows instance is going to gave at lease these ports open:
So this could reak havoc on business or residential networks. But then, I guess this is what you get for giving your users or peers an inapropriate level of trust.
Re:News? (Score:3, Insightful)
Might as well unplug it (Score:4, Insightful)
The only safe way to safely run this server is to place it behind a SPI firewall. Packet filters will have a hard time detecting and blocking this kind of attack, you will need a full blown SPI to defend and block against these attacks.
SMCs, Linksys and other consumer level firewall seem to be vulnerable [homenethelp.com] to this thing, the only thing that might save your server is the NAT they might provide. Of course if you are running your server on a public routable IP, then you better start thinking of running a serious setup there.
Re:News? (Score:3, Insightful)
Re:News? (Score:3, Insightful)
To accept a connection on a IP port, you need a service running. If you have no such service running, no connections are possible. Having such services running but then blocking them with another layer of software is pointless and adds more potential failure modes to the system. If you want a stupid car analogy, it is so
Re:News? (Score:3, Insightful)
Security patching is our last line of defence, because if you're actually getting packets to the servers, that packet has already been vetted by two different types of firewall and a number of routers.
Re:News? (Score:3, Interesting)
However, that is far from the point. The point is that 8 years after an attack was discovered, Microsofts commercial OS was STILL vulnerable to it. Obviously, if they're leaving themselves open to such vintage attacks as LAND, their security testing proc
Windows (Score:5, Funny)
Wait... (Score:5, Funny)
What kind of software dev process do MS use? (Score:5, Interesting)
Re:What kind of software dev process do MS use? (Score:5, Funny)
Re:What kind of software dev process do MS use? (Score:3, Interesting)
Slightly offtopic but in reply to the parent post..
My wife bought a new machine with XP home. I decided to move some files. I turned on sharing. I wanted some protection. I tried to set a password on the shared folder.... Um where do you set a password on a folder for read and write privilages? It is missing. You can't share a folder and deny write privilages! This is major not good. My old version of Windows 95 does bette
Re:What kind of software dev process do MS use? (Score:4, Informative)
Re:What kind of software dev process do MS use? (Score:5, Interesting)
As a further indication that I was right, I put an interface around the public interface of my libraries to validate all the parameters and actions. I noticed some people would make the same error so much that I even personalized some of the error messages. Like: "Your passing a string instead of an address John", and "Your reading from a closed object Kevin".
Re:What kind of software dev process do MS use? (Score:5, Funny)
Want to do your own testing? (Score:4, Informative)
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
Re:What kind of software dev process do MS use? (Score:4, Funny)
Oh, regression tests! Those things! Bill Gates thought they were just funny-looking packing peanuts and threw them out.
so what? (Score:2, Funny)
Re:so what? (Score:5, Insightful)
Only one thing though... (Score:5, Insightful)
Anyway, given all the warnings about Internet security in the last five years, the majority of users will already have downloaded and installed firewall programs such as ZoneAlarm.
Re:Only one thing though... (Score:5, Insightful)
Re: (Score:3, Insightful)
It means more than you think... (Score:3, Insightful)
So now we have Bill Gates and co. coming out and saying, "Windows is our #1 priority." Everyone feels better, because hey... Bill's on the case right?
Then, out of left-field, it turns out that Windows is vulnerable to an exploit that's practically ancient in the biz. And what if you can get through the firewall somehow? Or what if you're cruising around wireless networks on a laptop?
This kind of on
Re:Only one thing though... (Score:3, Insightful)
And when some worm implementing this attack rides inside of the firewall on a laptop or some removable media and attacks from the inside?
Re:Only one thing though... (Score:3, Interesting)
Windows running slow? (Score:5, Funny)
Guess we need Boston Church XP (Score:5, Funny)
Re:Guess we need Boston Church XP (Score:3, Funny)
On a more serious note.. (Score:5, Interesting)
At least with SP2 there is some basic security in terms of the firewall being on by default.
Still, never thought I'd see a slashdot article linking to a page about Trumpet Winsock in 2005!
Safest OS (Score:5, Funny)
Microsoft Notified (Score:5, Funny)
Microsoft was informed 7 days ago (25.02.2005, GMT +1, local time), NO answer received, so I decided to share this info with security community.
Of course they didn't reply. They're under LAND attack, and your message is caught in the server. You must have sent them a proof-of-concept, so what did you expect?
What is the LAND attack? (Score:5, Informative)
So it's a way to either remotely lock up or reboot a target machine. I would assume (not having, you know, tried it or anything) that this includes most windows-based webservers.
I know its been around, but...Linking to source? (Score:2, Insightful)
Tm
Re:I know its been around, but...Linking to source (Score:3, Insightful)
Honestly. Why don't you just stick your head in the ground every time there's a problem. If you don't see it, it can't be real
And source isn't useful to many people (Score:5, Insightful)
I mean ethical issues aside, it's just not that helpful to most people. I'm sure most people though "WTF is a LAND attack?" and cliked on the link to see. Getting a C file, is probably not the answer they wanted, espically given that it doesn't seem to be transfering, so I can't even see if it has useful comments or not.
When doing
UNLABELED too. (Score:5, Insightful)
Not only that, it was unlabeled. That means anybody who follwed the link now has a copy of the malware in their machine's webcache, minimum. And if they saved it (to keep the list of vulnerable configurations, for example) they have the malware itself.
This simultaneously puts a bunch of slashdot readers at legal risk (from false prosecution and/or in-court character assasination, based on evidence from a siezed computer) and gives real baddies plausible deniability.
Re:I know its been around, but...Linking to source (Score:5, Informative)
---snip---
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=si
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->
ipheader->protocol=IP_TCP;
ipheader->sa
ipheader->daddr=sin.sin_
tcpheader->th_sport=sin.sin_port;
tcpheader->t
tcpheader->th_seq=htonl(0xF
tcpheader->th_flags=TH_SYN;
tcpheader->th_o
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr
pseudoheader.daddr.s_addr=sin.sin_addr.s
pseudoheader.protocol=6;
pseudoheader.len
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
---snip---
Open ports (Score:5, Insightful)
Can anyone confirm? (Score:5, Interesting)
Re:Can anyone confirm? (Score:4, Informative)
A test listed in an above comment of mine worked for my box. DL hping2 and try:
hping2 aaa.bbb.ccc.ddd -s 135 -p 135 -S -a aaa.bbb.ccc.ddd
Obviously, replace aaa.bbb.ccc.ddd w/ the ip address of the workstation you'd like to test
Oh c'mon, that isn't fair. (Score:5, Funny)
Besides, like all everyone here says, it is the users own fault for not using a firewall. Having an expectation that 8 yr old attacks should be fixed is just unreasonable.
WTF, are you all on crack?
so all windows servers are vulnerable to this? (Score:2)
Sending TCP packet with SYN flag set, source and destination IP address and source
and destination port as of destination machine, results in 15-30 seconds DoS condition.
SO sending every 10 seconds such a packet to a windows internet (http) host will make it disappear form the internet? DOS attack? that is lame.
Retro! (Score:5, Funny)
Now that my WinXP SP2 system is susceptible to land again, it's getting me into a nostalgic mood. I think I'll go play Ms PacMan on my MAME cabinet now.
Am I vulnerable? (Score:3, Interesting)
I am otherwise up-to-date with windows updates. I have a linksys router for my internet connection, but no software firewall.
Am I vulnerable to this and other issues? Should I update to SP2 already (the first time I tried it crashed while installing, didn't even work, but I could prob. get it to work next time). Or should I stay with SP1 for games?
Thank you.
Big deal... (Score:3, Interesting)
We've moved on to more productive uses of vulnerable machines (e.g. spam zombies). Who wants to do a DOS attack on a machine without a firewall anyway? What's the point?
Everyone has good points, and yet.... (Score:5, Funny)
Granted you have to have a computer next to a cup of coffee for this to work, but MANY PEOPLE DO!!!!!!!!!!
"LAND" war in Asia ... (Score:5, Funny)
(Yeah, off topic, I don't care.)
At least Windows NT is supposedly patched. (Score:5, Informative)
Explanation of LAND attack (Score:3, Informative)
This was close... (Score:3, Funny)
Can you imagine what amount of fear I felt when I realized that this guy lived only 2 miles from my office...
Damnit! (Score:4, Interesting)
Malware (Score:3, Insightful)
User is in big corp behind firewall.
User receives email claiming to be something or other.
User runs attachment.
All 'doze boxes in big corp stop working.
Firewalls are (a) not the answer to all crap coding and (b) not perfect solutions even so.
Justin.
exploit (Score:5, Informative)
Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected :?
Turn off the firewall? (Score:4, Informative)
OK, so what you're saying is that in order for XP to be vulnerable, it must be directly connected to the Internet, the user must specifically have disabled the firewall, and no intermediate firewall must be present.
At what point do we cease blaming Microsoft for stupid user tricks? I mean, Microsoft has freely given SP2 to anyone who wants it. Pretty soon it will be a mandatory download from WindowsUpdate. People bitched and moaned for years that Microsoft didn't do enough for security and didn't default to having updates apply automatically. But when Microsoft finally does improve security (with a better firewall) and tries to turn it all on by default, everyone griped. Damned if you do...
Look, if a Windows zealot took something like Fedora, turned on a bunch of services, turned off the firewall, and then griped because his box got hacked, Slashdotters everywhere would be screaming that this guy was a fool, that Linux security is great when it's not sabotaged by an idiot at the keyboard. And they'd be right. But when an attack requires that a Windows user actively subvert the very security measures Microsoft's put in place to protect him, everybody blames Microsoft. Nope, no bias to see here, citizens, please move along.
Re:Turn off the firewall? (Score:3, Interesting)
Although it's a good idea to have an intermediate firewall to catch obviously bogus packets, that's not an excuse for Microsoft to be sloppy.
As for disabling the firewall, while that's probably a bad idea for Joe Home User, what if I want to run my web site off of a Window XP box? Presumably
Ho hum (Score:3, Informative)
Linux version of the exploit (Score:3, Interesting)
Here's [duncanthrax.net] the code that should compile on Linux.
In other news... (Score:3)
Knock knock.
Who's there?
Pizza man.
I didn't order a pizza.
(pause)
Mailman.
Today is Sunday, there is no mail.
(pause)
Doorman.
Our building has no doorman.
(pause)
Travelling salesman.
I don't want anything.
(pause)
Gumby.
Oh, it's Gumby!
(opens door)
RARRRRRRR!!!!!
Now that's ... (Score:3, Funny)
Let's see OSS match this! A bug, almost a decade old, STILL SUPPORTED!
Re:Not that big of a deal (Score:5, Insightful)
That is like saying the rape victim is at fault "'cause she looked so sexy"
Re:Not that big of a deal (Score:5, Interesting)
Oh, and standard policy is to have user accounts set up as Administrator at all times.
Cleaning up infected machines is a never-ending endeavour. Oddly, the few departments run by competent admins (as in, not the university's IT department) where user accounts are set up only as Users (among other things) don't have any security problems at all. I wonder why..
Oh, and before anyone blames me: I'm a grunt with no authority whatsoever. I've voiced my objections to the way things are run, but I can do little more than that.
Re:Not that big of a deal (Score:4, Insightful)