[10182] in bugtraq
ARP problem in Windows9X/NT
daemon@ATHENA.MIT.EDU (Joel Jacobson)
Mon Apr 12 16:26:29 1999
Date: Mon, 12 Apr 1999 13:59:54 +0200
Reply-To: Joel Jacobson <joel@mobila.cx>
From: Joel Jacobson <joel@MOBILA.CX>
To: BUGTRAQ@NETSPACE.ORG
Hello all bugtraqers!
I've found a problem in Windows9X/NT's way of handeling ARP packets.
If you flood a computer at your LAN with the packet below, it's user
will be forced to click a messagebox's OK button x times, where x is the number
of packets you flooded with.
I advice Microsoft to develope a patch for this problem, that let you
choose to ignore all future messages of this type.
There is no way to trace the flooder since the MAC address in the
packet can be modified to anything. Bad configurated routers will
not drop this packet. When I tested this problem on my LAN I could
flood a computer on another C-net at my LAN without problems.
The program NetXRay was used to preform the flood.
The victims had to reboot their computer, or choose to click _very_
many OK buttons.
The ARP packet is build up like this:
Ethernet Version II:
Address: XX-XX-XX-XX-XX-XX --->FF-FF-FF-FF-FF-FF
Ehternet II Protocol Type: ARP
Address Resolution Protocol:
Hardware Type: 1 (Ethernet)
Protocol Type: 800
Hardware Address: Length: 6
Protocol Address: Length: 4
Operations: ARP Request
Source Hardware Address: XX-XX-XX-XX-XX-XX
IP Source Address: <victim computer's IP>
Destination Hardware Address: XX-XX-XX-XX-XX-XX
IP Destination Address: <victim computer's IP>
And in HEX the packet look like this:
ff ff ff ff ff ff 00 00 00 00 00 00 08 06 08 00 06 04 00 01 00 00 00
00 00 00 XX XX XX XX 00 00 00 00 00 00 XX XX XX XX
(XX is what matters here)
Hope a patch for this problem will be developed fast, cause this is a
big problem for my school and probably also to others.
I'm not a C programmer, and don't know how to write an exploit for
this problem. So, if anyone else can develope an exploit, feel free to do so.
Joel Jacobson.
