Re: WinNT Widespread Teardrop Exploit

Russ (Russ.Cooper@RC.ON.CA)
Wed, 04 Mar 1998 03:43:25 -0500

So far, on sites where caps were available (or tcpdumps) all replays of
said caps have failed to crash machines patched against Teardrop2.

Since its impossible to be certain, in such a short period of time (the
attacks began on Sunday night EST and have continued through to the time
of posting), that all attacks are the same (or significantly similar)
there is hesitancy to say this is definitely Teardrop2.

Some sites have reported DNS attacks, the sites I've talked to that saw
attacking packets labeled DNS all indicated that those packets were, in
fact, invalid DNS packets. Instead, it appears that fragmented UDP 53
packets are being used to form the exploit and trigger the kernel crash
on NT and Win95 boxes that have not been patched.

At least one site reported that Linux kernels prior to 2.0.32 that have
not been patched will freeze, this is consistent with Teardrop2.

Win98 beta 3 machines seem to be unaffected, they include the Teardrop2
fixes.

I've had two confirmations, in addition to Microsoft, from very large
orgs that machines patched with the Teardrop2 patch from January
(identified in Dale's message) withstood attacks.

Some valuable data points (again, at the time of posting);

- Virtually all of the larger attacks seem to be originating from
199.0.154.13, however this address is spoofed.

- Many of the attacks seem to originate from a source port of 4000 and
go after random ports. ICQ is on port 4000 but is, currently, not
suspect.

- The majority of other reports indicate source and destination ports
53.

- Everyone is seeing fragmented UDP packets with a 32 byte offset.
Assembled size seems to vary, although this could just be a result of
the analysis methods.

The focus on .gov and .edu sites seems consistent with Aleph's story
pointers.

You can have a look at my NTBugTraq archives for today to follow my
reports on the discoveries (as well as my silly theories).

http://listserv.ntbugtraq.com/SCRIPTS/WA-NTBT.EXE?S2=ntbugtraq&q=&s=&f=&
a=3+mar+98&b=4+mar+98

Cheers,
Russ
http://www.ntbugtraq.com