Bugtraq mailing list archives
Re: Solaris Ping bug (DoS)
From: jone () HYDROLAB ARSUSDA GOV (Jon Edwards)
Date: Mon, 30 Jun 1997 12:03:07 -0400
here's what i got from sun last friday: The command: ping -i 127.0.0.1 224.0.0.1 causes the loopback interface to reply to the echo request, since it is itself a member of the ALLHOSTS group (224.0.0.1). However, in our loopback implementation, the read queue for a loopback interface ( ill_rq) is set to NULL. As, a result, the function icmp_inbound(), in sending an ICMP_ECHO_REPLY (using the put system call) causes the machine to panic, since the target queue is NULL. ----------- anyhow, looking at the man page - i ask is there any reason why the -L switch isn't always set? here's 2 examples (fun C project) - either should work fine .. in the first one for paranoia - envp is nullified .. probably fine w/ just an execv too .. the second one was contributed by a co-worker .. it doesn't nuke the environment, but does everything with pointers .. gcc -o pingL pingL.c mv /usr/sbin/ping /usr/sbin/ping.ow chmod 555 /usr/sbin/ping.ow mv pingL /usr/sbin/ping chmod 4555 /usr/sbin/ping pingL.c (example 1) ----------- main(int argc, char * argv[], char * envp[]) { int i; int j; char ** nargv; char * dumbenv=0; nargv = (char **) malloc(sizeof(char *) * (argc+1)); /* force the -L on the new argv */ nargv[0] = argv[0]; nargv[1] = "-L"; for (i=1;argv[i];i++) { j = i+1; nargv[j] = argv[i]; } nargv[i+1] = 0; execve("/usr/sbin/ping.ow",nargv,&dumbenv); } ----------- pingL.c (example 2) ----------- int main (int argc, char **argv) { char *prog = "/usr/sbin/ping.ow"; char *narg = "-L"; char **oargv = argv; char **nargv = (char**)malloc((argc+2)*sizeof(char*)); char **xargv = nargv; *xargv++ = prog; oargv++; *xargv++ = narg; while (oargv&&(*oargv)) *xargv++=*oargv++; xargv = 0; execv(prog,nargv); return 1; } --------- onto the next adventure! hedge ---------- "That's Unix Engineers .. not Eunuchs Engineers" "um .. someone cancel the nurse .."
Current thread:
- Re: Solaris Ping bug (DoS), (continued)
- Re: Solaris Ping bug (DoS) Gnuchev Fedor (Jun 26)
- Re: Solaris Ping bug (DoS) just me. (Jun 26)
- Re: Solaris Ping bug (DoS) Francesco Messineo (Jun 26)
- 'sec-fix' for NT 3.51 Aleph One (Jun 26)
- Problem in dxterm (ULTRIX) Trevor Schroeder (Jun 26)
- Re: Solaris Ping bug (DoS) Philip Kizer (Jun 26)
- Solaris Ping bug(inetsvc) Renteria Tabares J. (Jun 27)
- Announce: ypcat for Win NT/95 Aaron Spangler (Jun 27)
- Re: Solaris Ping bug (DoS) Geoff Mulligan (Jun 27)
- Win95 ping bug nomad () APOLLO TOMCO NET (Jun 29)
- Re: Solaris Ping bug (DoS) Jon Edwards (Jun 30)
- Alert: Routing and RAS Filtering issue Aleph One (Jun 27)
- Solaris Ping Bug and other [bc] oddities Aleph One (Jun 23)
- Re: [ADVISORY] 4.4BSD Securelevels Howie Kaye (Jun 26)
- Re: [ADVISORY] 4.4BSD Securelevels Thomas H. Ptacek (Jun 26)
- SUMMARY: Solaris Ping bug (DoS) Gnuchev Fedor (Jun 27)
- Security hole affects many cvs pserver installations Aleph One (Jun 27)