nt-part2_55
Analysis of the Security of Windows NT
1 March 1999
55
where the fragment offset is larger then the total size of the IP packet and no MF bit set.
The fragment offset and the total size difference has, however, nothing to do with the
problem, since the two are not related. The whole scheme works because the last frag-
ment has an offset that is part of the UDP header and will therefore partially overwrite
the header and the result is a incomplete UDP packet. These packets will take up mem-
ory and eventually cause a crash. The difference between bonk and boink is that bonk
attacks only one port, namely port 55 while boink gives the user the option to define a
range of ports to attack. Microsoft has offered a fix to the problem.
Intent. The same as in Teardrop but we will use both bonk and boink.
Result. We executed the programs on a LINUX machine as follows (IP addresses
changed for security reasons):
The last argument specify the number of consecutive attacks. Without the hotfix the
system crashed giving us a blue screen and had to be rebooted. The hotfix seems to
work.
The number 100 and 200 defines the port interval and 10 the number of consecutive
attacks. Without the hotfix the system crashed giving us a blue screen and had to be
rebooted. The hotfix seems to work.
7.5.6 Land and LaTierra
Description. Land and LaTierra is two programs that utilizes the same vulnerability.
The only difference is that LaTierra has a number of options that can be set, e.g. which
TCP flags to set, whether TCP or UDP should be used. The attack is simply to put the
same IP address as both sender and receiver. This will cause a Windows 95 machine to
crash and an NT machine to freeze for a while. This could be nasty, if one is the victim
of a number of these attacks over a time period, especially if the intervals between the
attacks are random. They will eventually make the user think that something is wrong
and s/he will try to reboot to solve the problem. The attack could also be used as an
excellent blocker in a man-in-the-middle attack. Microsoft offers a fix for the problem.
Intent. We will try to remotely freeze the target system by using both Land and LaTi-
erra. The attack will be launched against a target, both with and without the hotfix.
Result. We executed the programs on a LINUX machine as follows (IP addresses
changed for security reasons):
10.0.0.2 is the target computers IP address, and 139 is the attacked port. With just SP1
installed in the system, the machine froze, and we had to reboot it. With just SP3, the
machine froze for approximately 45 seconds. The hotfix offered by Microsoft seems to
work.
bonk 10.0.0.1 10.0.0.2 100
boink 10.0.0.1 10.0.0.2 100 200 10
land 10.0.0.2 139
latierra -i 10.0.0.2 -b 139