Hello all bugtraqers! I've found a problem in Windows9X/NT's way of handeling ARP packets. If you flood a computer at your LAN with the packet below, it's user will be forced to click a messagebox's OK button x times, where x is the number of packets you flooded with. I advice Microsoft to develope a patch for this problem, that let you choose to ignore all future messages of this type. There is no way to trace the flooder since the MAC address in the packet can be modified to anything. Bad configurated routers will not drop this packet. When I tested this problem on my LAN I could flood a computer on another C-net at my LAN without problems. The program NetXRay was used to preform the flood. The victims had to reboot their computer, or choose to click _very_ many OK buttons. The ARP packet is build up like this: Ethernet Version II: Address: XX-XX-XX-XX-XX-XX --->FF-FF-FF-FF-FF-FF Ehternet II Protocol Type: ARP Address Resolution Protocol: Hardware Type: 1 (Ethernet) Protocol Type: 800 Hardware Address: Length: 6 Protocol Address: Length: 4 Operations: ARP Request Source Hardware Address: XX-XX-XX-XX-XX-XX IP Source Address: <victim computer's IP> Destination Hardware Address: XX-XX-XX-XX-XX-XX IP Destination Address: <victim computer's IP> And in HEX the packet look like this: ff ff ff ff ff ff 00 00 00 00 00 00 08 06 08 00 06 04 00 01 00 00 00 00 00 00 XX XX XX XX 00 00 00 00 00 00 XX XX XX XX (XX is what matters here) Hope a patch for this problem will be developed fast, cause this is a big problem for my school and probably also to others. I'm not a C programmer, and don't know how to write an exploit for this problem. So, if anyone else can develope an exploit, feel free to do so. Joel Jacobson.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:05 PDT