[plug] local DoS with ping -R
Matt Kemner
zombie at networx.net.au
Mon Dec 13 12:26:14 WST 1999
On Mon, 13 Dec 1999, Anthony J. Breeds-Taurima wrote:
> This means you can't atack someone from 2.1, without hacking ping.c It
> doesn't mean you can't be attacked by someone (... well you're obviously
> behind a f/w so that doesn't count) BUT if you're box had a real IP I
> recon you'd be vulnerable
You are missing the point.. There are actually three issues here.
1. Some versions of pings allow "mere mortals" to create large packets
with -s and use those packets to flood somebody else's link.
You can also flood someone's link from your own box as root, but you
are limited by the size of your own link, which is why the -s problem
only really applies for ISPs, where you don't want "mere mortals" to
use your big E1 link to flood some poor soul's 56k link.
(Of course there are easier ways to flood someone's link that don't
require root access, such as sending lots and lots of large UDP
packets)
2. (my original reason for posting, and the most recent ping bug)
Some versions of ping allow you to create an invalid packet with
"ping -s 65468 -R" that crashes the machine _you are running ping on_.
This is mainly a problem for ISPs etc. where you cannot trust local
users
3. Some versions of ping (that ping a host every second by default) rely
on the "ALARM" signal to tell if a second has passed yet, so you can
trick it to send pings several times a second by sending it the alarm
signal several times a second.
I think this has also been fixed in recent versions of ping.
(At least I can't reproduce it with the version of ping that I could
successfully crash the 2.0 machine with :)
See http://www.securityfocus.com/templates/archive.pike?list=1&msg=352CAAE8.CC902ABA@mclink.it
for a sample exploit program.
- Matt
More information about the plug
mailing list