'Land' Bug Back to Bedevil Microsoft Servers

By Sean Michael Kerner | Mar 7, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3488206/Land-Bug-Back-to-Bedevil-Microsoft-Servers.htm

Need another excuse to run a firewall? Windows Server 2003 and XP SP2 machines without properly configured firewalls are at risk of a Denial of Service (define) attack via the "LAND" bug, according to a security researcher.

Microsoft said it is looking into the situation and claims the potential issue cannot be used by an attacker to run malicious software on a computer.

In a post to the Bugtraq security mailing list, security researcher Dejan Levaja described how the LAND attack could create a Denial of Service condition on a target server. "Sending [a] TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition," Levanja explained in the post.

The LAND attack is carried out with the help of a trio of open source-licensed tools intended to help network administrators troubleshoot and test their networks.

The IP Sorcery application, which is loosely connected to an underground computer security group called Legions of the Underground, allows for custom TCP packet generation, which is how the malicious packet in the LAND attack is created. Ethereal, the popular network protocol analyzer included in most major Linux distributions, is used for "sniffing" (define) the packet.

According to Dejan, by sending the crafted LAND packet, the CPU utilization on the target server hits 100 percent and causes Windows Explorer to freeze on all connected workstations. The third open source tool utilized is tcpreplay, which is used in Dejan's scenario to "replay" the LAND packet in order to create a sustained DoS. The result could be a "total collapse of the network."

Dejan claims that he informed Microsoft of the issue on Feb. 25, 2005, and received no reply.

A Microsoft spokesperson told internetnews.com that Microsoft's initial investigation has revealed that this reported vulnerability cannot be used by an attacker to run malicious software on a computer. In fact, Dejan only claims a DoS and not the execution of arbitrary code.

"At this point, our analysis indicates the impact of a successful attack would be to cause the computer to perform sluggishly for a short period of time," the Microsoft spokesperson explained. "Customers running the Windows Firewall, enabled by default on Windows XP Service Pack 2, are not impacted by this issue. In addition, customers who have applied our TCP/IP hardening practices described in Knowledge Base Article 324270 are likewise protected from an attack attempting to utilize this issue."

Normally Microsoft issues security updates on the first Tuesday of every month, and usually warns users several days before the updates are issued. So far in March, Microsoft has given no indication at this point that any update will in fact be issued tomorrow. Last month's update was one of the largest yet with more than a dozen different issues patched.

Microsoft's spokesperson indicated, however, that upon completion of the investigation into the LAND vulnerability, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through its monthly release process or an out-of-cycle security update, depending on customer needs.

Article courtesy of internetnews.com