Re: LAND attack vulnerability on Windows Server 2003 and Windows XP

From: Marcio Vieira (vieira_at_CSTL.SEMO.EDU)
Date: 03/08/05

  • Next message: Eirik Schwenke: "Re: Remote Windows Kernel Exploitation - Step Into the Ring 0"
    Date:         Tue, 8 Mar 2005 11:48:42 -0600
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    We used the newland.exe v0.1 "proof of concept" program to "attack" some of
    our Windows 2003 Server boxes. In all cases, the target system's CPU usage
    went to 100% and stayed like that for 20-30s after the "attack" stopped.

    We were able to prevent the 100% CPU utilization by setting the value of
    "SynAttackProtect" to 1 or 2 in the TCP/IP parameters:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    SynAttackProtect = 1 (DWORD)

    Target systems: Windows 2003 Server Enterprise and Standard editions (didn't
    work in Windows XP SP2).

    More info:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;324270

    Marcio Vieira
    Southeast Missouri State University

    > -----Original Message-----
    > From: Windows NTBugtraq Mailing List
    > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of James Rankin
    > Sent: Tuesday, March 08, 2005 7:26 AM
    > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > Subject: LAND attack vulnerability on Windows Server 2003 and
    > Windows XP
    >
    > A LAND attack vulnerability has been highlighted in Windows
    > XP and Windows Server 2003 by Dejan Levaja
    >
    > http://www.securityfocus.com/archive/1/392354
    >
    > It was later highlighted by CA as a High risk
    >
    > http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32520
    >
    > There has been no vendor response to this as yet. Initial
    > testing suggests it works with mixed results on 2003 and XP SP2.

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Eirik Schwenke: "Re: Remote Windows Kernel Exploitation - Step Into the Ring 0"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #154
      ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #49
      ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
      (Focus-Microsoft)
    • ~~~~~~~~~~~~~~ CANNOT FIND ~~~~~~~~~~~~~~
      ... acrobat cannot find external windows handler ... activesync cannot find exchange server ... aol internet explorer cannot find server ... brother network scanner cannot find pc ...
      (sci.geo.fluids)
    • ~~~~~~~~~~~~~~~ CANNOT FIND ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ... cannot find server or dns error ... windows cannot find null ... windows cannot find the network path ... cannot find internet explorer on computer ...
      (comp.protocols.snmp)
    • Questions Relating to Administering Windows 2000 Server
      ... installed the network client on the target computer. ... Sarah has been attempting to install Windows 2000 ... Server for two days. ... Sarah has checked the cables and hard drives. ...
      (microsoft.public.cert.exam.mcse)