Bugtraq mailing list archives

Re: Solaris Ping bug (DoS)

From: jone () HYDROLAB ARSUSDA GOV (Jon Edwards)
Date: Mon, 30 Jun 1997 12:03:07 -0400


here's what i got from sun last friday:

The command:

ping -i 127.0.0.1 224.0.0.1

causes the loopback interface to reply to the echo request, since it is
itself a member of the ALLHOSTS group (224.0.0.1). However, in our
loopback implementation, the read queue for a loopback interface ( ill_rq)
is set to NULL. As, a result, the function icmp_inbound(), in sending an
ICMP_ECHO_REPLY (using the put system call) causes the machine to panic,
since the target queue is NULL.

-----------
anyhow, looking at the man page - i ask is there any reason why the -L
switch isn't always set?

here's 2 examples (fun C project) - either should work fine .. in the
first one for paranoia - envp is nullified .. probably fine w/ just an
execv too .. the second one was contributed by a co-worker .. it doesn't
nuke the environment, but does everything with pointers ..

        gcc -o pingL pingL.c
        mv /usr/sbin/ping /usr/sbin/ping.ow
        chmod 555 /usr/sbin/ping.ow
        mv pingL /usr/sbin/ping
        chmod 4555 /usr/sbin/ping

pingL.c (example 1)
-----------
main(int argc, char * argv[], char * envp[])
{
        int i;
        int j;
        char ** nargv;
        char * dumbenv=0;
        nargv = (char **) malloc(sizeof(char *) * (argc+1));

        /* force the -L on the new argv */
        nargv[0] = argv[0];
        nargv[1] = "-L";

        for (i=1;argv[i];i++) {
                j = i+1;
                nargv[j] = argv[i];
        }
        nargv[i+1] = 0;
        execve("/usr/sbin/ping.ow",nargv,&dumbenv);
}
-----------
pingL.c (example 2)
-----------
int main (int argc, char **argv)
{
   char *prog = "/usr/sbin/ping.ow";
   char *narg = "-L";

   char **oargv = argv;
   char **nargv = (char**)malloc((argc+2)*sizeof(char*));

   char **xargv = nargv;

   *xargv++ = prog; oargv++;

   *xargv++ = narg;

   while (oargv&&(*oargv)) *xargv++=*oargv++;

   xargv = 0;

   execv(prog,nargv);

   return 1;
}

---------

onto the next adventure!
hedge
----------
"That's Unix Engineers .. not Eunuchs Engineers"
"um .. someone cancel the nurse .."

Current thread:

Re: Solaris Ping bug (DoS), (continued)
- - Re: Solaris Ping bug (DoS) Gnuchev Fedor (Jun 26)
  - Re: Solaris Ping bug (DoS) just me. (Jun 26)
  - Re: Solaris Ping bug (DoS) Francesco Messineo (Jun 26)
  - 'sec-fix' for NT 3.51 Aleph One (Jun 26)
  - Problem in dxterm (ULTRIX) Trevor Schroeder (Jun 26)
  - Re: Solaris Ping bug (DoS) Philip Kizer (Jun 26)
    - Solaris Ping bug(inetsvc) Renteria Tabares J. (Jun 27)
    - Announce: ypcat for Win NT/95 Aaron Spangler (Jun 27)
  - Re: Solaris Ping bug (DoS) Geoff Mulligan (Jun 27)
    - Win95 ping bug nomad () APOLLO TOMCO NET (Jun 29)
    - Re: Solaris Ping bug (DoS) Jon Edwards (Jun 30)
  - Alert: Routing and RAS Filtering issue Aleph One (Jun 27)
  - Solaris Ping Bug and other [bc] oddities Aleph One (Jun 23)
- Re: [ADVISORY] 4.4BSD Securelevels Howie Kaye (Jun 26)
  - Re: [ADVISORY] 4.4BSD Securelevels Thomas H. Ptacek (Jun 26)
  - SUMMARY: Solaris Ping bug (DoS) Gnuchev Fedor (Jun 27)
  - Security hole affects many cvs pserver installations Aleph One (Jun 27)