Slashdot Mirror
Microsoft Patches 1990s-Era 'Ping of Death'
CWmike writes "Microsoft on Tuesday issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed 'Ping of Death.' While other patched vulnerabilities we more serious, one marked 'CVE-2011-1871' brought back memories for nCircle's Andrew Storms. 'This looks like the Ping of Death from the early-to-mid 1990s,' he said. 'Then, when a specially-crafted ping request was sent to a host, it caused the Windows PC to blue screen, and then reboot.' Two decades ago, the Ping of Death (YouTube video demonstration) was used to bring down Windows PCs remotely, often as a way to show the instability of the operating system."
Just FYI, the POD doesn't affect any modern OSes. It used to bring down Windows NT (and earlier), early linux kernels, as well as Mac OS 7 back in the day.
When I used to host LAN parties after the DoS attacks became well publicized, we'd all start out playing the game nicely, be it Warcraft II or Quake or whatnot, but when someone would feel they were wronged (how one would be wronged in a game with fairly inflexible rules I still don't understand) or were doing far worse than everyone else, they'd quit and start attacking whoever they felt deserved it.
I started running Warcraft II under MS-DOS only, using DOS networking with only IPX, so that I couldn't be knocked out, but friends who chose to run it under Windows disappeared from the game frequently.
As for Quake, if I didn't set up a dedicated server on the Linux box then I'd host it, so they'd usually leave me alone. I guess my friends were altruistic enough to not try to take the whole game down, just the player they took exception to...
Do not look into laser with remaining eye.
NO CARRIER
When the copyright term is "forever minus a day", live every day like it's the last.
I remember a few variations.
One, of course, was ping -f from a sufficiently fast pipe (or just an equally-slow pipe with better buffer management). I had a custom REXX script under OS/2 which took a username as input, and would finger each of the terminal servers of a local ISP, derive the IP address of that user, then issue a ping -f for that particular dialup user.
It would cause their PPP sessions to timeout, at which point they'd disconnect. And it was fun, because I actually knew the people who I was disconnecting.
Tougher (or farther) targets at other hosts would get a ping -f from a blistering-fast (hah!) shared FreeBSD machine with a T1 connection. If -f didn't do it alone, increasing the packet size always did. Sometimes, it seemed that different packet sizes (not just larger ones) would make it happen sooner.
Around the same time, it was discovered (not by me) that sending an ICMP ping packet containing "+++ATH0" would instantly disconnect any user with a cheap modem by very neatly instructing their modem to do exactly that.
This worked because Hayes (rest their souls) had a patent on requiring a one second delay between +++ (aka "enter command mode") and any subsequent commands (ATH0 hangs up the modem). Makers of cheap modems wanted to pay as few royalties as possible, and they got their wish.
On most premium modems, or most old modems, it wasn't a problem, since it was required to have a delay between "+++" and any other command. But during the early winmodem days, it was a blast: Those cheap modems instantly dropped to command mode, and immediately executed anything after that.
You tell it to hang up, and that's just what it does.
It wasn't even really necessary to use ATH0, either: any old AT command would work, and would leave the modem in command mode instead of data mode. +++ATLM2L3, for instance, would result in a lot of noise from the modem speaker until their session timed out...
The ATH0 trick could be accomplished with IRCII using /ctcp [target] PING +++ATH0 or more generally with ping -p 2B2B2B41544829 [target IP or hostname] from a suitable *nix host.
It was fun being a kid back then, with OS-agnostic ways to be annoying. (I've grown up just slightly since then...)
Kid-proof tablet..
There are actually a lot of "Windows Kiddies" on IRC. Not a majority by far, but still some. I was surprised that a libSDL channel I recently got into was almost all Windows folks.
By my estimation, in my experience (freenode and efnet), most people on IRC are running some form of older-school Linux distribution, such as Debian or Slackware. There are some Ubuntu peeps but I think a lot of them use something more 'modern', i.e. skype or pidgin. I see BSD folks in my BSD channels, but they only barely edge out the Windows guys overall.
Now that USENET has gone down the shitter, I still enjoy IRC, and will continue to do so until it goes away.
do() || do_not();
It really didn't do much unless your bombing your buddies dialup server, and thus tying up your dialup line. I guess it could be slightly annoying if you could get a shit ton of people to do it today.
I don't know what you are talking about, but it certainly isn't the ping of death. Maybe ping flooding? I personally wrote the patch for a now long defunct unix variant which fixed the actual "Ping of Death" vulnerability.
The way it worked was to send a ping with a 65536 byte payload - technically out of spec for the ICMP protocol by about 30 bytes in length. Since it was out of spec, most IP stacks were written with the assumption that it could never happen. But when it did happen, you got a buffer overflow that would usually panic the OS immediately. At the time, almost every OS on the net was vulnerable even the guys who didn't have BSD-derived stacks like MS Windows.
So all it took was one single oversized-sized icmp ping to crash just about any computer on the net. Imagine being able to take down all of google's internet presence with just a few thousand packets. Of course, at the time, there was no google.
When information is power, privacy is freedom.
Since Windows XP SP2 I think it was the firewall is turned on by default(or at least really really encourages you to do so) and blocks ping responses and was released August 25, 2004.
God damn the dial-up days where wild sometimes.
Fugganaye right. I shouldn't admit any of this, but I was into scrolling chat rooms* back in the mid-late 90s and it was the fucking Wild West. Winnukes and Portfloods for days and days. Javascript exploits and whatnot. People getting pWn3d for no good reason. You had to be patched and armed just to stay in the joint.
There was a guy that flexed his hax0r muscle at everyone, but especially gave me shit. Seriously unprovoked bullshit, following me from room to room, then later site to site. I could write a book on this, but basically through some elaborate social engineering of several people (including his school) I was able to determine his home address. I bribed a high school friend of mine who was going to a school in the next city over to go take a picture "of the white house at this address" and send it to me. Some low-tech scanning practices and some floppy disk work at a local Staples ensued.
The next time he fucked with me I posted the pic of his house in the chat room. I wish I had logged his responses, and the crying he did to my alt (the social engineering 'chick') over the next few days. He never messed with me or anyone else in the place again. It was a pretty good hack, and I dreamed guys like Kevin Poulsen would approve. But I actually felt pretty dirty afterwards.
*hotelchat ftw!
do() || do_not();
So all it took was one single oversized-sized icmp ping to crash just about any computer on the net. Imagine being able to take down all of google's internet presence with just a few thousand packets. Of course, at the time, there was no google.
Technically, you needn't send the whole thing. You couldn't send the whole thing, anyways, as there are limits on the size of an IP packet. You sent the packet in IP fragments. You needn't even send all of the fragments. Merely sending the last fragment, the one that overflowed the IP packet size.
Also, IIRC, it wasn't 65536. It was bigger. Maximal size was ~65506+your MTU (which was never less than 536, and was often 1500) which caused the overflow. 65536 total size is still okay (or is it 65535?)
Shachar
It would make more sense if you provided context for your quote
Storms said it appeared that today's "Ping of Death" bug was a different vulnerability than Microsoft patched in its now-ancient OSes of the 1990s.
The bug exists in Windows Vista, Server 2008, Windows 7 and Server 2008 R2, Microsoft said, but not in Windows XP or Server 2003.
at 127.0.0.1 they'll find out it's armored beyond anything they can come up with
Yeah, the wild west days, I remember hanging around on IRC on #userfriendly where much of the crowd were of the IT types working in the .com boom which was very wild west itself. One night one of the regulars posted a message that she was on dial up and was being ping flooded by some guy with a cable modem, and asked someone ping flood the guy off the net so she could upload an important file before it was due in a few minutes. Well the moments afterward were one of those things where you look back and think, hey maybe too many people decided to unleash too much fire power at once. Sure there were those that were sitting on T1, T3, etc. lines at the time that reacted to the call within seconds, but there were also a few BIG GUNS aimed at this lowly cable modem user's IP within seconds. Think core routers from big name national ISP's, and .COM giants. When the smoke cleared a minute or two later everyone realized not only was the cable modem user in question off the net, but so was his cable provider.
That is stupid. Any IP host should respond to a ping. It's one way of testing if everything is working. Disabling ping just because your IP stack is buggy is security through obscurity. ICMP has to be implemented according to standard.
Custom electronics and digital signage for your business: www.evcircuits.com
Pingflooding dialup users was like shooting ducks in a barrel.
Personally, I loved messing with my friends by echoing TTY control codes into their (heh) world-writable dev/tty file. If you wanted to be a dick, you could just pipe a binary file into it, which basically made their session unusable, but it was much more fun to change their font or temporarily blank their screen.
Xwindows games were fun, too. Very little security back in the day meant you could play audio files to come out of their speakers (always fun to play embarassing songs when they're near other people) or launch xv with a photo of Mike Tyson biting off an ear when they're chatting up a girl. Xscreensaver was always fun to launch, too, on someone else's session.