SUMMARY: Solaris Ping bug (DoS)

Gnuchev Fedor (qwe@HT.EIMB.RSSI.RU)
Fri, 27 Jun 1997 18:37:47 +0400

Good morning Aleph,

I hope that following summary will stop ping discussion.
I'd just removed extra water from responces.
-------snip-snip-------
Making a summary from recieved solutions I guess prize goes to

Mark Henderson <mch@squirrel.com>

for the reason of closing the hole that ping 'pinged':

From: Mark Henderson <mch@squirrel.com>
try
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0

// should be added to /etc/init.d/inetinit to be permanent.
-----------
From: John Mizzi <jmizzi@premenos.com>
From: Frank DENIS -Jedi/Sector One- <j@donald.fr>
From: Dan Bell <dbell@blaze.cs.jhu.edu>
From: George Turner <grturner@netcom.com>
From: "Matthew R. Potter" <mpotter@intr.net>
From: Mark Henderson <mch@squirrel.com>
From: Andrew <radak@yo.fuh-q.org>
From: Joao Miguel Neves <jmne@rnl.ist.utl.pt>

other solutions:
- use wrapper
- use traceroute
- compile BSD ping
are included in no particular order:
From: John Mizzi <jmizzi@premenos.com>

Yes, I can confirm this on Solaris 2.5.1
From: Frank DENIS -Jedi/Sector One- <j@donald.fr>
> Disabling ping??! Hope someone will devise more chewable solution :-)
Let your users use traceroute instead...
From: George Turner <grturner@netcom.com>
> Disabling ping??! Hope someone will devise more chewable solution :-)

I'm doing the following for now:

chmod 500 /usr/sin/ping
mv /usr/sbin/ping /usr/sbin/ping.bug
gcc -o ping wping.c
chmod 4555 ping
mv ping /usr/sbin

--------------------------------wping.c---------------------------
#include <stdio.h>
#include <unistd.h>
char host[75];
main(int argc, char **argv)
{
switch (argc)
{
case 2:
memset(host, '\0', sizeof(host));
strncpy(host, argv[1], sizeof(host)-1);
execl("/usr/sbin/ping.bug", "ping", host, (char *)NULL);
break;
default:
fprintf(stderr, "Options are currently disabled for non-root user.\n");
}
}
From: George Turner <grturner@netcom.com>
Subject: Re: Solaris Ping bug (DoS)

Yeah, it's just stopgap, but most of my users do like to be able to ping
places and almost never use any of the ping options.

George

From: "Matthew R. Potter" <mpotter@intr.net>

What about fixing the actuall kernel code, I assume it's the multicast
stuff, or just disable it. Can u disable it on boot?

From: Mark Henderson <mch@squirrel.com>
try
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
(only tested on a single 2.5.1 machine)
qwe: Well, it does closes the hole on all 2.x I could reach - 2.4, 2.5, 2.5.1

From: Dan Bell <dbell@blaze.cs.jhu.edu>

> Disabling ping??! Hope someone will devise more chewable solution :-)

The only solution I've got (as I lack working code for ping), has actually
been to use my ancient SunOS version in binary compatibility mode. It's a
disgusting thing to do, but the old version doesn't have this bug. I've
only applied this kludge on undergraduate machines, where I know they'll
crash them just for the hell of it :).

From: Andrew <radak@yo.fuh-q.org>

I took the standard AUSCERT overflow wrapper and changed line 178 from:
if (strlen(argv[i]) > MAXARGLEN)
to:
if (strcmp(argv[i],"-i") == 0)

And thusly wrapped ping. I don't know if this is actually a 100% 'patch'
(someone with better knowledge of C care to comment?), but it'll at least
prevent the exploit as printed. (I figure non-root users shouldn't need
to be able to specify interface anyway.)

-Andrew

From: Joao Miguel Neves <jmne@rnl.ist.utl.pt>

You can always do like me. I compiled the BSD ping and disabled the other.

Joao Miguel Neves
jmne@poboxes.com
-----------------------

With best regards

Fedor Gnuchev
mailto:qwe@ht.eimb.rssi.ru