Bugtraq mailing list archives
ARP problem in Windows9X/NT
From: joel () mobila cx (Joel Jacobson)
Date: Mon, 12 Apr 1999 13:59:54 +0200
Hello all bugtraqers! I've found a problem in Windows9X/NT's way of handeling ARP packets. If you flood a computer at your LAN with the packet below, it's user will be forced to click a messagebox's OK button x times, where x is the number of packets you flooded with. I advice Microsoft to develope a patch for this problem, that let you choose to ignore all future messages of this type. There is no way to trace the flooder since the MAC address in the packet can be modified to anything. Bad configurated routers will not drop this packet. When I tested this problem on my LAN I could flood a computer on another C-net at my LAN without problems. The program NetXRay was used to preform the flood. The victims had to reboot their computer, or choose to click _very_ many OK buttons. The ARP packet is build up like this: Ethernet Version II: Address: XX-XX-XX-XX-XX-XX --->FF-FF-FF-FF-FF-FF Ehternet II Protocol Type: ARP Address Resolution Protocol: Hardware Type: 1 (Ethernet) Protocol Type: 800 Hardware Address: Length: 6 Protocol Address: Length: 4 Operations: ARP Request Source Hardware Address: XX-XX-XX-XX-XX-XX IP Source Address: <victim computer's IP> Destination Hardware Address: XX-XX-XX-XX-XX-XX IP Destination Address: <victim computer's IP> And in HEX the packet look like this: ff ff ff ff ff ff 00 00 00 00 00 00 08 06 08 00 06 04 00 01 00 00 00 00 00 00 XX XX XX XX 00 00 00 00 00 00 XX XX XX XX (XX is what matters here) Hope a patch for this problem will be developed fast, cause this is a big problem for my school and probably also to others. I'm not a C programmer, and don't know how to write an exploit for this problem. So, if anyone else can develope an exploit, feel free to do so. Joel Jacobson.
Current thread:
- Re: ICQ Webserver bug Ronald A. Jarrell (Apr 06)
- <Possible follow-ups>
- Re: ICQ Webserver bug José Reyes Cedeño (Apr 08)
- Re: ICQ Webserver bug Kaven Rousseau (Apr 08)
- Re: ICQ Webserver bug Frank Dekervel (Apr 10)
- ARP problem in Windows9X/NT Joel Jacobson (Apr 12)
- Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 12)
- Re: ARP problem in Windows9X/NT kay (Apr 13)
- Re: ARP problem in Windows9X/NT kay (Apr 13)
- Serious security holes in web anonimyzing services Patrick Oonk (Apr 13)
- Re: Serious security holes in web anonimyzing services Jeremey Barrett (Apr 13)
- Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
- Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 13)
- Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
- Re: ARP problem in Windows9X/NT Alan DeKok (Apr 13)
- Re: ARP problem in Windows9X/NT Joseph Gooch (Apr 14)