Microsoft Patches 1990s-Era 'Ping of Death'

CWmike writes "Microsoft on Tuesday issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed 'Ping of Death.' While other patched vulnerabilities we more serious, one marked 'CVE-2011-1871' brought back memories for nCircle's Andrew Storms. 'This looks like the Ping of Death from the early-to-mid 1990s,' he said. 'Then, when a specially-crafted ping request was sent to a host, it caused the Windows PC to blue screen, and then reboot.' Two decades ago, the Ping of Death (YouTube video demonstration) was used to bring down Windows PCs remotely, often as a way to show the instability of the operating system."

POD has long since been patched.

[atlasdropperofworlds]

Just FYI, the POD doesn't affect any modern OSes. It used to bring down Windows NT (and earlier), early linux kernels, as well as Mac OS 7 back in the day.

Re:I remember the ping of death

[adolf]

I remember a few variations.

One, of course, was ping -f from a sufficiently fast pipe (or just an equally-slow pipe with better buffer management). I had a custom REXX script under OS/2 which took a username as input, and would finger each of the terminal servers of a local ISP, derive the IP address of that user, then issue a ping -f for that particular dialup user.

It would cause their PPP sessions to timeout, at which point they'd disconnect. And it was fun, because I actually knew the people who I was disconnecting.

Tougher (or farther) targets at other hosts would get a ping -f from a blistering-fast (hah!) shared FreeBSD machine with a T1 connection. If -f didn't do it alone, increasing the packet size always did. Sometimes, it seemed that different packet sizes (not just larger ones) would make it happen sooner.

Around the same time, it was discovered (not by me) that sending an ICMP ping packet containing "+++ATH0" would instantly disconnect any user with a cheap modem by very neatly instructing their modem to do exactly that.

This worked because Hayes (rest their souls) had a patent on requiring a one second delay between +++ (aka "enter command mode") and any subsequent commands (ATH0 hangs up the modem). Makers of cheap modems wanted to pay as few royalties as possible, and they got their wish.

On most premium modems, or most old modems, it wasn't a problem, since it was required to have a delay between "+++" and any other command. But during the early winmodem days, it was a blast: Those cheap modems instantly dropped to command mode, and immediately executed anything after that.

You tell it to hang up, and that's just what it does.

It wasn't even really necessary to use ATH0, either: any old AT command would work, and would leave the modem in command mode instead of data mode. +++ATLM2L3, for instance, would result in a lot of noise from the modem speaker until their session timed out...

The ATH0 trick could be accomplished with IRCII using /ctcp [target] PING +++ATH0 or more generally with ping -p 2B2B2B41544829 [target IP or hostname] from a suitable *nix host.

It was fun being a kid back then, with OS-agnostic ways to be annoying. (I've grown up just slightly since then...)

Re:I remember the ping of death

[Jah-Wren+Ryel]

It really didn't do much unless your bombing your buddies dialup server, and thus tying up your dialup line. I guess it could be slightly annoying if you could get a shit ton of people to do it today.

I don't know what you are talking about, but it certainly isn't the ping of death. Maybe ping flooding? I personally wrote the patch for a now long defunct unix variant which fixed the actual "Ping of Death" vulnerability.

The way it worked was to send a ping with a 65536 byte payload - technically out of spec for the ICMP protocol by about 30 bytes in length. Since it was out of spec, most IP stacks were written with the assumption that it could never happen. But when it did happen, you got a buffer overflow that would usually panic the OS immediately. At the time, almost every OS on the net was vulnerable even the guys who didn't have BSD-derived stacks like MS Windows.

So all it took was one single oversized-sized icmp ping to crash just about any computer on the net. Imagine being able to take down all of google's internet presence with just a few thousand packets. Of course, at the time, there was no google.

Re:Misleading title

[guruevi]

That is stupid. Any IP host should respond to a ping. It's one way of testing if everything is working. Disabling ping just because your IP stack is buggy is security through obscurity. ICMP has to be implemented according to standard.