The ISRC continues to monitor publicly available messages originating from computer underground sources, and has uncovered a potentially malicious application of the "ping" tool which may result in denial of service attacks or loss of data. This tool has application across a wide spectrum of operating systems.

The information below was extracted from "The Ping o' Death Page" located at <http://www.sophist.demon.co.uk/ping/>, which apparently originates from the United Kingdom.

The "ping" command was developed as a system administrative tool to establish Internet protocol (IP) connectivity to a particular host. The ICMP is the protocol responsible for detecting network error conditions and reporting them. Ping uses a ICMP ECHO request to send a datagram to a specified host, and requests a return response. IP packets, which contain the request, include the header length, typically 20 octets (octet is an international term for byte) if no IP options are specified. IP packets that are bigger than the maximum size (65535) octets are fragmented into smaller packets, and then reassembled by the receiver. An ICMP ECHO request "lives" inside the IP packet. It consists of eight octets of the ICMP header information followed by the number of data octets in the "ping" request. Therefore the maximum allowable size of the data area is 65535 - 20 - 8 = 65507 octets.

It is possible to send an echo packet with more than 65507 octets of data due to the way the fragmentation is performed. The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes upon reassembly. Therefore on the last fragment, it is possible to combine a valid offset with a suitable fragment size so that the offset plus the size is greater than 65535. Since typical machines don't process the packet until they have all fragments and have tried to reassemble it, there is the possibility for overflow of 16 bit internal variables, leading to system crashes, reboots, or kernel dumps.

Members of the ISRC staff in collaboration with a Senior Research Engineer, with expertise in a wide range of operating systems and platforms, conducted a credibility analysis of the identified weakness. Using a PC system running Windows 95 Plus, a datagram was sent containing 65510 octets to an HP operating system running 10.01 version. The results of the ping caused the HP system to "crash" (reboot and run a system files check). If data were being processed during the time of the "crash," all unsaved information may have been lost. Although the system "crash" may cause only a temporary shutdown of the operating system, it would be possible to continually ping a targeted operating system resulting in a denial of service attack. In addition, a targeted system could be theoretically induced to "crash" at a predetermined critical point.

Another datagram containing 65510 octets was sent from an Apple PowerMac running Soft Windows 95 to a targeted PowerMac running MacOS 7.5.5. The results of the ping caused the screen saver to display a default message and lock the computer up, requiring a system "cold reboot".

No further systems were attacked. However, indications contained in the information extracted from "The Ping o' Death Page" (see attached) suggested similar attacks could be launched against a wide array of firmware, printers, and even routers.

This tool is publicly available over the Internet, which means that it is accessible to a wide number of potential malevolent users. This Internet site contained information about a wide variety of operating systems and computer platforms. Not only can individual systems be theoretically induced to crash (resulting in system downtime, data loss, denial of service, etc., as noted above), but it appears that routers too may be targeted. In the latter case, entire networks could potentially be attacked. DOE users of the systems identified in this advisory should be aware of the vulnerabilities.

That this information be coordinated with the Computer Incident Advisory Capability (CIAC) for further detailed analysis and determination of impact across the DOE complex.

"PING" EXPLOITATION Attachment

VULNERABLE OPERATING SYSTEMS WITHOUT PATCHES

Operating system	Version	Symptoms	Comments
Solaris (x86)	2.4, 2.5	Reboot	No fix yet, although Sun is working it.
Minix	1.7.4 and probably others	Crash	No fix yet.
HP-UX	10.10, 10.20	Kernel Panic, machine hangs	No fix yet.
HP-UX	10.01	Mixed Reports	One person said it was stable, but most crash.
HP-UX	9.05	Reboots	No fix yet.
HP-UX	9.0, 9.04	Mixed reports	Only two reports for each - one crashed; another - no effect.
OpenVMS	6.2	Mixed reports	Using UCX tcp/ip (not MultiNet). Two people have caused a reboot, another can't reproduce this.
Net-BSD x86	1.1	Crash	No fix yet.
Convex OS	11.5	Crash	No fix yet
NeXTStep	various	Platform dependant
AOS	?	Crash	This is apparently vulnerable to 32768 byte packets too.
Apple PowerMac	MacOS 7.5.2, 7.5.3, 7.5.5	Crash
Windows 3.11 with Trumpet Winsock	?	Mixed reports	One person had no problems, another got network errors and lost the network connection.

VULNERABLE OPERATING SYSTEMS WITH PATCHES

Operating system	Version	Symptoms	Comments
AIX	3 and 4	Operating system dump.	Patch Available! The patch for 3.2.5 has been around for a while, so it may already be applied to your system.
DEC Unix/OSF1	3.0 and above	Kernel Panic	Patch available!
Linux	<= 2.0.23	Spontaneous reboot or kernel panic	Patch available!
Linux	1.2.13	Reboot, Hang or No effect	Patch available!

OPERATING SYSTEMS WHICH POSSIBLY COULD BE VULNERABLE

Operating system	Version	Symptoms	Comments
Irix	5.3	Mixed reports	Most people have had no problem, but another had a crash.
OS/2 Warp	?	Mixed results	One person had no problem, another had to do a hard reset.
Windows NT	3.5.1	Mixed results	Someone crashed an NT machine with this. It was reportedly under load at the time of the crash. Others have had no problems.

SAFE OPERATING SYSTEMS

Operating system	Version
Ultrix	4.2a, 4.4, 4.5
Solaris (Sparc)	2.4, 2.5, 2.5.1
MVS Mainframe with TCP/IP stack from Interlink	4.1
Free-BSD	2.0.5, 2.1.0, 2.1.5
	2.1
BSDI/OS	4.2, 5
SCO OpenDesktop	3.2
DRS/NX (sparc)	7MPlus.9.8
UnixWare	1.1
SunOS	4.1.x
Olivetti SVR4	2.4.1
NCR Worldmark running MP-RAS SVR4	3.0
DG/UX	5.4
Irix	6.2
LynxOS	2.3.0
Novell	?
Windows 3.11 with NCSA Telnet stack	?
Windows '95	?
Windows NT	4.0
OS/2 (Merlin)	4.0
HP J2410	?

VULNERABLE FIRMWARE

System	Version	Symptoms	Comments
Ascend Pipeline 130 Router	4.6Ci12	Reboot	No fix yet. This reportedly crashed while routing packets, not being pinged itself!!
Ascend P50 Router	?	Reboot	Same problem as the Pipeline 130. Apparently version 4.6Cp8 seems immune to this problem, so maybe it's restricted to earlier versions of the software.
Atlantic Powerhub (router/bridge)	?	Reboot	When given a broadcast ping of 32000 or greater.
HP Laserjet III, IV	?	Crash	Crashes with "80 Service (01E0)" - It had to be physically turned off then on again.
HP Laserjet V	?	Crashes	An improvement over the Laserjet III - It prints a diagnostic sheet first, then dies.
Sun X Terminals	?	Panic	A packet of 50000 bytes will set this off.
NCD X Terminals	3.3.2, 4.0	Panic	A packet of 32750 bytes will set this off.
HDS Viewstations	?	Crash	No fix yet.

VULNERABLE FIRMWARE WITH PATCHES

System	Version	Symptoms	Comments
NetBlazer 40i	3.2	Lockup	Locks up completely, have to hard-reset. Emergency patch available!

SAFE FIRMWARE

System	Version
Ascend Max 4000	?
NetBlazer SP	3.0 patch 9
NetBlazer Classic	2.3 patch 13
3Comm Lanplex & accessbuilder	?
3Comm Linkbuilder FMS/II	Flash 3.11Prom 1.01
Cisco Terminal Server	?
Xyplex TS/720	V6.0.1S41, Rom 460003
Cisco 7500, 2501, 4000, AGS+	?
Livingston Portmaster	?
IBM6611 router	?
Retix 7000 router	?
Shiva FastPath V	KStart code version 9.2

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001