‘Land’ Bug Back to Bedevil Microsoft Servers

Need another excuse to run a firewall? Windows Server 2003 and XP SP2 machines without properly configured firewalls are at risk of a Denial of Service attack via the “LAND” bug, according to a security researcher.

Microsoft said it is looking into the situation and claims the potential issue cannot be used by an attacker to run malicious software on a computer.

In a post to the Bugtraq security mailing list, security researcher
Dejan Levaja described how the LAND attack could create a DoS condition on a target server. “Sending [a] TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition,” Levanja explained in the post.

The LAND attack is carried out with the help of a trio of open source-licensed tools intended to help network administrators troubleshoot and test their networks.

The IP Sorcery application, which is loosely connected to an underground
computer security group called Legions of the Underground, allows for
custom TCP packet generation, which is how the malicious packet in the LAND
attack is created. Ethereal, the popular network protocol analyzer included in most major Linux distributions, is used for “sniffing” the packet.

According to Levaja, by sending the crafted LAND packet, the CPU utilization
on the target server hits 100 percent and causes Windows Explorer to freeze
on all connected workstations. The third open source tool utilized is
tcpreplay, which is used in Dejan’s scenario to “replay” the LAND packet in
order to create a sustained DoS. The result could be a “total collapse of the

Levaja told internetnews.com that he discovered the flaw quite
unintentionally. “I was pen testing my network using the Auditor Security Collection live
Linux distribution. One of the tools on the CD was the IP Sorcery, which I
used to construct LAND packet for fun, believing that it is an attack from ancient history, not even thinking about possibility that it might work,” he said.

He claims he informed Microsoft of the issue on Feb. 25, 2005,
and received no reply.

A Microsoft spokesperson told internetnews.com that Microsoft’s initial
investigation has revealed that the reported vulnerability cannot be used
by an attacker to run malicious software on a computer. In fact, Dejan only
claims a DoS and not the execution of arbitrary code.

“At this point, our analysis indicates the impact of a successful attack
would be to cause the computer to perform sluggishly for a short period of
time,” the Microsoft spokesperson explained. “Customers running the Windows
Firewall, enabled by default on Windows XP Service Pack 2, are not impacted
by this issue. In addition, customers who have applied our TCP/IP hardening
practices described in Knowledge Base Article 324270 are likewise protected from an attack attempting to utilize this issue.”

Normally Microsoft issues security updates on the first Tuesday of every
month, and usually warns users several days before the updates are issued. So
far in March, Microsoft has given no indication at this point that any update
will in fact be issued tomorrow. Last month’s update was one of the largest yet with more than a dozen different issues

Microsoft’s spokesperson indicated, however, that upon completion of the
investigation into the LAND vulnerability, Microsoft will take the
appropriate action to protect our customers, which may include providing a
fix through its monthly release process or an out-of-cycle security update,
depending on customer needs.

Updates prior version to include direct quotes from Dejan Levaja

News Around the Web