|
Hi!
The land attack described in -
http://www.securityfocus.com/archive/1/392354 - is fixed for ipv4 by
last security updates, but not for ipv6 protocol. As in IpV4 version of
the attack, the build-in firewall has to be turned off to experience the
result (1-5 seconds of DoS condition).
Tools used:
Attached source (I used vs7.1 to compile it) uses winpcap library -
http://winpcap.polito.it/. This program attacks only IpV6 Link-Local
addresses.
Results:
Sending one packet to open IpV6 port causes Windows to freeze for about
5 seconds (CPU usage goes 100%).
Vulnerable operating systems:
I have tested this bug on Windows XP SP2 + security updates up to now
(16 may 2005), Windows 2003 Server SP1 + updates, Windows Longhorn b5048
(by the way L. is still "Land.IpV4 compatible":).
Solution:
Use build-in windows firewall to block open IpV6 ports (port 135 is open
by default). Popular firewalls like zone alarm, sygate personal firewall
and agnitum outpost firewall do not filter ipv6 so the attack has the
same effect.
Ethics
Microsoft has been notified. The IpV6 is not widely used so threat is
minimal (I hope).
Kondrad Malewski
kmalewski at gmail.com
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product
which automatically notifies the perceived sender of a message it believes is infected may well
cause more harm than good. Someone who did not actually send you a virus may receive the
notification and scramble their support staff to find an infection which never existed in the
first place. Suggest such notifications be disabled by whomever is responsible for your AV, or
at least that the idea is considered.
--
|
