From jasong@MICROSOFT.COM Sun Mar 8 00:13:47 1998
From: Jason Garms
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Wed, 4 Mar 1998 00:53:28 -0800
Subject: Update on wide-spread NewTear Denial of Service attacks
First, many thanks to the many organizations that assisted today in
gathering information on the rash of denial of service attacks that have hit
a number of sites on the Internet in the last 24-48 hours. Three important
organizations for overall coordination have been CIAC, CERT and NTBUGTRAQ.
That's in addition to the numerous customers who provided assistance. Thank
you.
We've gotten network traces for in-process attacks, as well as NT crash
dumps from machines that were attacked. These files came from a number of
different customers who were affected by these denial of service attacks
over the last 24 to 48 hours. We've carefully reviewed the network traces,
and analyzed the crash dumps, and I'd like to share what we found.
The network sniffs all indicated a two-packet sequence using UDP
fragmentation to exploit a known vulnerability in unpatched Windows 95 and
Windows NT TCP/IP stacks. The traces all indicate the now infamous "DNS"
packet, which has little significance as an actual DNS packet except that it
uses the DNS port address. It's really the setup packet for the
fragmentation attack. The second packet, which is a malformed UDP packet by
many regards, completes the attack and places the unpatched TCP/IP stack in
a unstable state. The DNS port may have been chosen because many sites do
not filter it on their firewalls or routers. However, this is not a DNS
issue in any way, since the corruption is cause in the TCP/IP stack by the
UDP assembly.
We replayed these packets against unpatched Windows NT and Windows 95
machines and got the same results as have been reported on in various
forums-mostly blue screens. However, there have been reports of machines
that would simply reboot without first blue screening. We were able to
duplicate that scenario on Windows NT 4.0 systems running only SP1. Other
unpatched systems would blue screen. However, these replayed attacks had no
effect on fully patched Windows NT 4.0 SP3 systems (all hotfixes). The
primary fix that is important here is the "NewTear/Bonk/Boink" update that
was released in January.
We also reviewed the crash dumps from a number of different sources. None of
these affected machine had the NewTear/Bonk/Boink patch installed. Analysis
of the dump indicated that the cause of failure in all cases was symptomatic
of the corruption caused by fragmented UDP packets, which was addressed by
the NewTear/Bonk/Boink update. Most sites we were in contact with that were
the subject of repeated attacks were no longer affected after installing the
update.
We have had no reports of fully patched systems being affected by this rash
of attacks.
We have posted some information on http://www.microsoft.com/security
on this rash of attacks. From
everything we've been able to determine, applying this update is critical to
preventing this problem. The information this issue at
http://www.microsoft.com/security has
links to the NewTear/Bonk/Boink hotfix.
This hotfix is available for Windows NT 4.0 SP3, Windows NT 3.51 SP5,
Windows 95 Winsock 1.x and Windows 95 Winsock 2.x systems. (Note that the
version for Windows 95 depends on the Winsock version. Last week we released
a complete refresh of the Windows 95 Winsock 2 stack, which includes the
NewTear fix. This information is referenced from the NewTear information on
http://www.microsoft.com/security)
Thanks,
-JasonG
Jason Garms
Product Manager
Windows NT Security
Microsoft Corporation
=-=
From Russ.Cooper@RC.ON.CA Sun Mar 8 00:13:56 1998
From: Russ
To: BUGTRAQ@NETSPACE.ORG
Date: Wed, 4 Mar 1998 03:43:25 -0500
Subject: Re: WinNT Widespread Teardrop Exploit
So far, on sites where caps were available (or tcpdumps) all replays of
said caps have failed to crash machines patched against Teardrop2.
Since its impossible to be certain, in such a short period of time (the
attacks began on Sunday night EST and have continued through to the time
of posting), that all attacks are the same (or significantly similar)
there is hesitancy to say this is definitely Teardrop2.
Some sites have reported DNS attacks, the sites I've talked to that saw
attacking packets labeled DNS all indicated that those packets were, in
fact, invalid DNS packets. Instead, it appears that fragmented UDP 53
packets are being used to form the exploit and trigger the kernel crash
on NT and Win95 boxes that have not been patched.
At least one site reported that Linux kernels prior to 2.0.32 that have
not been patched will freeze, this is consistent with Teardrop2.
Win98 beta 3 machines seem to be unaffected, they include the Teardrop2
fixes.
I've had two confirmations, in addition to Microsoft, from very large
orgs that machines patched with the Teardrop2 patch from January
(identified in Dale's message) withstood attacks.
Some valuable data points (again, at the time of posting);
- Virtually all of the larger attacks seem to be originating from
199.0.154.13, however this address is spoofed.
- Many of the attacks seem to originate from a source port of 4000 and
go after random ports. ICQ is on port 4000 but is, currently, not
suspect.
- The majority of other reports indicate source and destination ports
53.
- Everyone is seeing fragmented UDP packets with a 32 byte offset.
Assembled size seems to vary, although this could just be a result of
the analysis methods.
The focus on .gov and .edu sites seems consistent with Aleph's story
pointers.
You can have a look at my NTBugTraq archives for today to follow my
reports on the discoveries (as well as my silly theories).
http://listserv.ntbugtraq.com/SCRIPTS/WA-NTBT.EXE?S2=ntbugtraq&q=&s=&f=&
a=3+mar+98&b=4+mar+98
Cheers,
Russ
http://www.ntbugtraq.com
/* Newtear.c
* Seemingly, a new teardrop type exploit. Affects NT4, and Win95.
*
* [ http://www.rootshell.com/ ]
*
* Discovered 01/08/1998
*
* Updated notes:
* This is a new version of teardrop. It affects NT 4 and Win95 machines with all
* current patches and hotfixes. Causes a bluescreen in both operating systems.
* Linux appears unaffected, other *NIXes untested. Differences are:
*
* Smaller padding data size (20 bytes instead of 28 in previous teardrop)
* Faked out UDP total length. (Increased reported UDP length to twice what it really is)
*
* Copyright (c) 1997 route|daemon9 11.3.97
*
* Linux/NT/95 Overlap frag bug exploit
*
* Exploits the overlapping IP fragment bug present in all Linux kernels and
* NT 4.0 / Windows 95 (others?)
*
* Based off of: flip.c by klepto
* Compiles on: Linux, *BSD*
*
* gcc -O2 teardrop.c -o teardrop
* OR
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
*/
#include stdio.h
#include stdlib.h
#include unistd.h
#include string.h
#include netdb.h
#include netinet/in.h
#include netinet/udp.h
#include arpa/inet.h
#include sys/types.h
#include sys/time.h
#include sys/socket.h
[snip...]
|