SUMMARY: Solaris Ping bug (DoS)

[qwe () HT EIMB RSSI RU (Gnuchev Fedor)]

Good morning Aleph,

I hope that following summary will stop ping discussion.
I'd just removed extra water from responces.
-------snip-snip-------
Making a summary from recieved solutions I guess prize goes to

 Mark Henderson <mch () squirrel com>

for the reason of closing the hole that ping 'pinged':

From: Mark Henderson <mch () squirrel com>
try
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0

 // should be added to /etc/init.d/inetinit to be permanent.
-----------
From: John Mizzi <jmizzi () premenos com>
From: Frank DENIS -Jedi/Sector One- <j () donald fr>
From: Dan Bell <dbell () blaze cs jhu edu>
From: George Turner <grturner () netcom com>
From: "Matthew R. Potter" <mpotter () intr net>
From: Mark Henderson <mch () squirrel com>
From: Andrew <radak () yo fuh-q org>
From: Joao Miguel Neves <jmne () rnl ist utl pt>

other solutions:
- use wrapper
- use traceroute
- compile BSD ping
are included in no particular order:
From: John Mizzi <jmizzi () premenos com>

Yes, I can confirm this on Solaris 2.5.1
From: Frank DENIS -Jedi/Sector One- <j () donald fr>
> Disabling ping??! Hope someone will devise more chewable solution :-)
  Let your users use traceroute instead...
From: George Turner <grturner () netcom com>
> Disabling ping??! Hope someone will devise more chewable solution :-)

I'm doing the following for now:

chmod 500 /usr/sin/ping
mv /usr/sbin/ping /usr/sbin/ping.bug
gcc -o ping wping.c
chmod 4555 ping
mv ping /usr/sbin

--------------------------------wping.c---------------------------
#include <stdio.h>
#include <unistd.h>
char host[75];
main(int argc, char **argv)
{
switch (argc)
        {
        case 2:
                memset(host, '\0', sizeof(host));
                strncpy(host, argv[1], sizeof(host)-1);
                execl("/usr/sbin/ping.bug", "ping", host, (char *)NULL);
                break;
        default:
          fprintf(stderr, "Options are currently disabled for non-root user.\n");
        }
}
From: George Turner <grturner () netcom com>
Subject: Re: Solaris Ping bug (DoS)

Yeah, it's just stopgap, but most of my users do like to be able to ping
places and almost never use any of the ping options.

George

From: "Matthew R. Potter" <mpotter () intr net>

What about fixing the actuall kernel code, I assume it's the multicast
stuff, or just disable it. Can u disable it on boot?


From: Mark Henderson <mch () squirrel com>
try
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
(only tested on a single 2.5.1 machine)
qwe: Well, it does closes the hole on all 2.x I could reach - 2.4, 2.5, 2.5.1

From: Dan Bell <dbell () blaze cs jhu edu>

> Disabling ping??! Hope someone will devise more chewable solution :-)

The only solution I've got (as I lack working code for ping), has actually
been to use my ancient SunOS version in binary compatibility mode. It's a
disgusting thing to do, but the old version doesn't have this bug. I've
only applied this kludge on undergraduate machines, where I know they'll
crash them just for the hell of it :).

From: Andrew <radak () yo fuh-q org>

I took the standard AUSCERT overflow wrapper and changed line 178 from:
        if (strlen(argv[i]) > MAXARGLEN)
to:
        if (strcmp(argv[i],"-i") == 0)

And thusly wrapped ping.  I don't know if this is actually a 100% 'patch'
(someone with better knowledge of C care to comment?), but it'll at least
prevent the exploit as printed.  (I figure non-root users shouldn't need
to be able to specify interface anyway.)

-Andrew

From: Joao Miguel Neves <jmne () rnl ist utl pt>

You can always do like me. I compiled the BSD ping and disabled the other.

                                                          Joao Miguel Neves
                                                           jmne () poboxes com
-----------------------


With best regards

Fedor Gnuchev
 mailto:qwe () ht eimb rssi ru