Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Land Attacks Still Going Strong

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Land Attacks Still Going Strong
Date: 15 Dec 2005 08:39:31 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Land Attacks Still Going Strong
------------------------------------------------------------------------


SUMMARY

" <http://en.wikipedia.org/wiki/LAND_attack> A LAND attack is a DoS 
(Denial of Service) attack that consists of sending a special spoofed 
packet to a computer, causing it to lock up. The security flaw was first 
discovered in 1997 by someone using the alias 'm3lt', and has resurfaced 
many years later in operating systems such as Windows Server 2003 and 
Windows XP SP2."

By utilizing an Land attack, remote attacker can cause a DoS on effected 
machines.

DETAILS

Vulnerable Systems:
 * Microsoft Windows XP, SP1 and SP2
 * Linksys Routers
 * Westell Routers/Modems
 * Motorola Modems/Routers
 * Cisco Firewalls, Switches, and Routers
 * DSL Modems
 * Cable Modems
 * Consumer Routers
 * All Central Connectivity Devices (any manufacturer)
 * Linksys BEFW11S4
 * Linksys WRT54GS
 * Westell Versalink 327W (Verizon Modem)
 * Cisco Catalyst Series (Multiple)
 * Scientific Atlantic DPX2100 (Comcast Modem)

Land uses a specially crafted ICMP echo packet that has the same source 
and destination address. The receiving system stalls due to the erroneous 
packet and not having instructions to handle the unique packet. In Windows 
9x variants, the systems will "blue screen. " On modern NT variants, the 
systems will hang for approximately 30 seconds with full CPU usage before 
discarding the packet. With a looped script, the attacker can render the 
system useless. UNIX variants have been able to use a firewall rule to 
drop Land packets ? leaving most systems patched.

Microsoft originally released an initial patch that secured Windows 9x 
variants ? causing the exploit to lose popularity and become somewhat 
obscure. Later, when Windows NT variants were released, Microsoft 
neglected to patch the security flaw; this caused Windows XP Service Pack 
2 to remain susceptible to such an attack. Within the last four (4) 
months, Microsoft has released a patch for Windows NT variants.

Land versus Remote Land:
Land was originally introduced in the late 1990s and was very popular with 
educational and business networks. The original Land attack had to be 
executed internally on the local network ? thereby giving rise to the name 
"Land" (indicating that access has been granted to the local premises). 
However, with a remote attack (Remote Land), crafting special packets and 
spoofing the destination and source IP addresses will cause the attack to 
be carried out remotely against the central connectivity device.

Exploit / Proof of Concept:
There is no handwritten code needed to exploit this vulnerability.
The only requirement is an IP packet creation utility (such as Hping2 or 
IPSorcery). Below are some HPing2 examples:
                Victim's IP Address: 63.24.122.59
                Victim's Router IP Address: 192.168.1.1
                hping2 -A -S -P -U 63.24.122.59 -s 80 -p 80 -a 192.168.1.1

Remote Land Specifications:
Although the exploit will work without the Ack, Syn, Push, and Urg 
(flags), the device does not seem to shut off without these flags.

Sending just the Land part of the packet seems to only create high amounts 
of latency on the victim's end. The spoofed source address must be the 
address of the central connectivity device; although the
normal default is 192.168.1.1, some manufacturers use different addresses 
(such as 192.168.1.100 or 192.168.0.1). As a result, the IP address should 
be checked prior to initiating any test. Additionally,
a broadcast address will work for a source address as well, thereby 
flooding the network with responses from all the machines connected to the 
network. Although it will not stale the Central Connectivity
Device, it will maximize the entire network usage - crippling the network 
with extremely high latency.

Test Environment:

 * Test One
  * Attacker: hping2 on Comcast Cable connection behind Linksys Router
  * Victim: DSL Modem/Router on Verizon DSL connection

 * Test Two
  * Attacker: hping2 on Comcast Cable connection behind Linksys Router
  * Victim: Linksys Router on Comcast Cable connection

 * Test Three
  * Attacker: hping2 on Comcast connection behind Linksys Router
  * Victim: Comcast Cable Modem

 * Test Four
  * Attacker: hping2 on Comcast connection behind Linksys Router
  * Victim: Cisco Router on T1 connection

 * Test Five
  * Attacker: hping2 on Comcast connection behind Linksys Router
  * Victim: Cisco Pix Firewall, on T1 connection

Test Results:
Test One:
Connection Latency - followed by the modem physically turning off.
Time elapsed: approximately 10 seconds (from beginning of packet flooding 
to complete shutdown).

Test Two:
Connection Latency, router reset, then connection lost. Reset needed 
before router would communicate online again.

Test Three:
Modem lights flickered; the modem lost connection and sat with the Data 
light completely out.

Test Four:
Router lost connection to the Internet.

Test Five:
Firewall lost network connection.

Conclusion:
It appears that central connectivity device manufacturers need to release 
firmware updates and/or patches to protect against Land and remote Land 
attacks. The Land attack is no longer simply a local attack but has now 
evolved into having the capability of being launched remotely.


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:synistersyntaxlist@gmail.com> Synister Syntax.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Land Attacks Still Going Strong, SecuriTeam <=
Previous by Date:  [NT] Windows Kernel APC Data-Free Local Privilege Escalation (MS05-055), SecuriTeam
Next by Date:  [NT] Trend Micro PC-Cillin Internet Security Insecure File Permission, SecuriTeam
Previous by Thread:  [NT] Windows Kernel APC Data-Free Local Privilege Escalation (MS05-055), SecuriTeam
Next by Thread:  [NT] Trend Micro PC-Cillin Internet Security Insecure File Permission, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]