Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ping -i (TTL) Vulnerability

From: rpc <h () ckz org>
Date: Wed, 21 Feb 2001 21:51:12 UTC
On Wed, 21 Feb 2001 15:34:49 -0800, Reverend Lola said:


-----Original Message-----

 >From: Damian Menscher [mailto:menscher () UIUC EDU]
 >Sent: Wednesday, February 21, 2001 12:20 PM
 >To: VULN-DEV () SECURITYFOCUS COM
 >Subject: Re: ping -i (TTL) Vulnerability

 %<-----SNIP----->%

 >No doubt that this would do absolutely nothing from a
 remote location.

 %<-----SNIP----->%

 Actually, it does.



What you define below does not constitute a 'remote attack'. ping is still
executing locally. This is completely unrelated. I could just as easily DoS the
machine by creating 1e16 instances of minesweeper with remote command
execution.

--rpc



 I used the Unicode bug to send the command to a remote
 server (NT 4, SP6a, IIS4):
 http://xx.xx.xx.xx/scripts/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+ping+-t+127.0.0.1+-i+0

 CPU usage on the target server went to 100%, and
 stayed there.  Task Manager showed ping.exe was using
 a HUGE amount of system resources (this increased
 memory usage by a bit as well).  I tried to stop
 ping.exe, and could not.  Since ping.exe was started
 by IIS, I then tried to stop the web server, but it
 was not responding either.  The only way to stop it
 was to reboot.

 I'm sure the script kiddies will have fun with this
 one.  :)


 __________________________________________________
 Do You Yahoo!?
 Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: