Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WinNT Widespread Teardrop Exploit

From: mcysys () RITVAX ISC RIT EDU (Michael Young - 716-475-6031)
Date: Wed, 4 Mar 1998 09:56:24 -0500

We got hit by this here at RIT between 6pm and 10pm Monday night.  Based
on the machines that were hit it seems to be a combination of both TearDrop
and the latest SMB logon type attack on WinNT/95 boxes.  All of the machines
that had both of the patches available for these exploits (See Microsoft
Articles Q179129,Q180963) were unaffected (including mine).  Those that had
only the Teardrop
fix were hit by the other one.

Michael Young
Rochester Institute of Technology
mcysys () rit edu


-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () NETSPACE ORG]On Behalf Of Aleph One
Sent: Wednesday, March 04, 1998 12:59 AM
To: BUGTRAQ () NETSPACE ORG
Subject: WinNT Widespread Teardrop Exploit


There seems to be a very large Teardrop type attack going on. Rumors are
that it may not actually be Teardrop but some new vulnerability that
affects Windows 95, Windows NT and Linux ,but no one seems to have yet
verified this claim.

This incident may be rated to the recent large attack on NASA sites
< http://www.news.com/News/Item/0,4,19674,00.html?st.ne.fd.gif.c >
which in turn may be rated to a threat made by one of the recently raided
teenagers involved in the "Pentagon" attacks where he suggest that others
may take retaliatory action for his threatment
< http://www.wired.com/news/news/technology/story/10666.html >.

You may wish to keep a network sniffer running looking for interesting
traffic and if you see an attack try and verify if it is indeed Teardrop
or something else.

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

---------- Forwarded message ----------
Date: Tue, 03 Mar 1998 23:27:49 -0500
From: Dale Drew <ddrew () mci net>
To: miigs () mci net, meals () mci net
Subject: WinNT Widespread Teardrop Exploit : iMCISE:IMCI:030398:01:P1R1



                          MCI Telecommunications

                         internetMCI Security Group


Report Name: iMCI Security Alert - WinNT Widespread Teardrop Exploit
Report Number: iMCISE:IMCI:030398:01:P1R1
Report Date: 03/03/98
Report Format: InFormal
Report Classification: MCI Informational
Report Reference: http://www.security.mci.net

------------------------------------------------------------------------

MCI has received confirmation of an ongoing, widespread
attack specifically targeting Internet connected WindowsNT
systems.  We are providing this data in an effort to
alert you to these attacks, and to possibly provide a
protection mechanism against them.

This exploit appears to be a variation of the TearDrop
(http://www.microsoft.com/security) attack that
has effected Win95 and WinNT machines in the past.

Patches for this appear to be available at;


ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos
tSP3/teardrop2-fix/Q179129.txt
ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos
tSP3/teardrop2-fix/README.TXT

for intel
ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos
tSP3/teardrop2-fix/tearfixi.exe

for alpha
ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos
tSP3/teardrop2-fix/tearfixa.exe

The attacks appear to be automated and coming from multiple
sources, sweeping specific systems within a customer's network.
(eg; possibly obtaining a list of systems via DNS tables, then
attacking found systems).  You may want to take measures to
have your Intrusion Detection systems look for sequential
DNS lookups of your netblocks.

Source addresses of the attack have been forged, one address
that has been  used in previous attacks is 199.0.154.13 -
although that address could be changed at any time, since
the address is a forged, invalid address.

Source ports of the attack, thus far, has been tcp port 4000.
Although that port could be changed at any time as well.

The attack appears to be focused on .gov and .edu sites, although
some commercial sites have registered complaints.

Should you have any questions, please feel free to contact myself
or MCI's Incident Response Team at "security () mci net".

NT, and Microsoft, Security issues can be obtained at;

http://www.microsoft.com/security
http://listserv.ntbugtraq.com/archives/index.html


                   SUCCESS THROUGH TEAMWORK
================================================================

Dale Drew                                 MCI Telecommunications
Sr. Manager                                 internetMCI Security
                                                     Engineering
Voice:  703/715-7058                     Internet: ddrew () mci net
Fax:    703/715-7066                 MCIMAIL: Dale_Drew/644-3335
Previous By Date Next
Previous By Thread Next

Current thread: