Re: Solaris Ping bug (DoS)

Jon Edwards (jone@HYDROLAB.ARSUSDA.GOV)
Mon, 30 Jun 1997 12:03:07 -0400

here's what i got from sun last friday:

The command:

ping -i 127.0.0.1 224.0.0.1

causes the loopback interface to reply to the echo request, since it is
itself a member of the ALLHOSTS group (224.0.0.1). However, in our
loopback implementation, the read queue for a loopback interface ( ill_rq)
is set to NULL. As, a result, the function icmp_inbound(), in sending an
ICMP_ECHO_REPLY (using the put system call) causes the machine to panic,
since the target queue is NULL.

-----------
anyhow, looking at the man page - i ask is there any reason why the -L
switch isn't always set?

here's 2 examples (fun C project) - either should work fine .. in the
first one for paranoia - envp is nullified .. probably fine w/ just an
execv too .. the second one was contributed by a co-worker .. it doesn't
nuke the environment, but does everything with pointers ..

gcc -o pingL pingL.c
mv /usr/sbin/ping /usr/sbin/ping.ow
chmod 555 /usr/sbin/ping.ow
mv pingL /usr/sbin/ping
chmod 4555 /usr/sbin/ping

pingL.c (example 1)
-----------
main(int argc, char * argv[], char * envp[])
{
int i;
int j;
char ** nargv;
char * dumbenv=0;
nargv = (char **) malloc(sizeof(char *) * (argc+1));

/* force the -L on the new argv */
nargv[0] = argv[0];
nargv[1] = "-L";

for (i=1;argv[i];i++) {
j = i+1;
nargv[j] = argv[i];
}
nargv[i+1] = 0;
execve("/usr/sbin/ping.ow",nargv,&dumbenv);
}
-----------
pingL.c (example 2)
-----------
int main (int argc, char **argv)
{
char *prog = "/usr/sbin/ping.ow";
char *narg = "-L";

char **oargv = argv;
char **nargv = (char**)malloc((argc+2)*sizeof(char*));

char **xargv = nargv;

*xargv++ = prog; oargv++;

*xargv++ = narg;

while (oargv&&(*oargv)) *xargv++=*oargv++;

xargv = 0;

execv(prog,nargv);

return 1;
}

---------

onto the next adventure!
hedge
----------
"That's Unix Engineers .. not Eunuchs Engineers"
"um .. someone cancel the nurse .."