COMMAND
(s)ping
SYSTEMS AFFECTED
Win '95, NT, and OSR2/3
PROBLEM
When you run the program called sping, it will send an oversized
packet (ping -l 65510 ip) to the destined IP and cause the win95
machine to freeze (and NT). Credit goes to fATE 1997 BABY.
SSPING was a product of Datagram of Havok, or so it was thought.
Jeff W. Robertson has come forward on BugTraq with his original
source code however which details this. How it seems to work is
it sends the Win95/NT target a series of fragmented IP packets to
machine, and when the machine puts them together, it then becomes
a large packet (>64k?), which resembles the classic Ping of Death
attack (ICMP packets > 64K), and then it freezes completely.
See for more details:
http://www.darkening.com/ssping/
Below is included the binary to sping.
[snip...]
SOLUTION
Microsoft claim it affects IIS boxes, but obviously it can affect
any NT/Win95 box exposed to the Internet that does not block ICMP
packets. It has become the custom to block ICMP at routers or
Firewalls and not allow such traffic through to servers
themselves, but many have not made the necessary changes.
For fix note that service pack 3 must be applied to Windows NT
4.0 prior to applying this fix. This hotfix has been posted to
the following Internet location:
ftp://ftp.microsoft.com
with path
/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/icmp-fix
For Windows 95 this issue is resolved by the following updated
file for Windows 95 and OSR2:
VIP.386 version 4.0.956 (6/30/97) and later
This file is included in the self-extracting VIPUPD.EXE file. To
install this update, follow these steps (according to MS
advisory):
1. Download the VIPUPD.EXE file from the online service listed
below to an empty folder.
2. In My Computer or Windows Explorer, double-click the
VIPUPD.EXE file you downloaded in step 1.
3. Follow the instructions on the screen.
The following file(s) are available for download from the
Microsoft Software Library:
~ VIPUPD.EXE
|