Headline
CVE-1999-0444: 'ARP problem in Windows9X/NT' - MARC
Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.
[prev in list] [next in list] [prev in thread] [next in thread] List: bugtraq Subject: ARP problem in Windows9X/NT From: Joel Jacobson <joel () mobila ! cx> Date: 1999-04-12 11:59:54 [Download RAW message or body]
Hello all bugtraqers!
I’ve found a problem in Windows9X/NT’s way of handeling ARP packets.
If you flood a computer at your LAN with the packet below, it’s user will be forced to click a messagebox’s OK button x times, where x is the number of packets you flooded with.
I advice Microsoft to develope a patch for this problem, that let you choose to ignore all future messages of this type.
There is no way to trace the flooder since the MAC address in the packet can be modified to anything. Bad configurated routers will not drop this packet. When I tested this problem on my LAN I could flood a computer on another C-net at my LAN without problems.
The program NetXRay was used to preform the flood. The victims had to reboot their computer, or choose to click _very_ many OK buttons.
The ARP packet is build up like this:
Ethernet Version II: Address: XX-XX-XX-XX-XX-XX —>FF-FF-FF-FF-FF-FF Ehternet II Protocol Type: ARP Address Resolution Protocol: Hardware Type: 1 (Ethernet) Protocol Type: 800 Hardware Address: Length: 6 Protocol Address: Length: 4 Operations: ARP Request Source Hardware Address: XX-XX-XX-XX-XX-XX IP Source Address: <victim computer’s IP> Destination Hardware Address: XX-XX-XX-XX-XX-XX IP Destination Address: <victim computer’s IP>
And in HEX the packet look like this: ff ff ff ff ff ff 00 00 00 00 00 00 08 06 08 00 06 04 00 01 00 00 00 00 00 00 XX XX XX XX 00 00 00 00 00 00 XX XX XX XX (XX is what matters here)
Hope a patch for this problem will be developed fast, cause this is a big problem for my school and probably also to others.
I’m not a C programmer, and don’t know how to write an exploit for this problem. So, if anyone else can develope an exploit, feel free to do so.
Joel Jacobson.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic