[4811] in bugtraq
Re: Solaris Ping bug (DoS)
daemon@ATHENA.MIT.EDU (Philip Kizer)
Fri Jun 27 13:02:56 1997
Date: Thu, 26 Jun 1997 12:24:57 -0500
Reply-To: pckizer@nostrum.com
From: Philip Kizer <pckizer@NOSTRUM.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 26 Jun 1997 00:08:29 EDT."
<19970626000829.28333@atl.eni.net>
Adam Caldwell <adam@ATL.ENI.NET> wrote:
>I briefly searched the bugtraq archives and didn't see this one, so here's a
>way to reboot a Solaris box, and is exploitable by anyone with an account on
>the system since ping is setuid root.
For those with access, Sun seems to have Bug Id: 1226919 open on the issue.
>ping -sv -i 127.0.0.1 224.0.0.1
>
>On solaris 2.5, causes the machine to reboot (personal experience). I've
>had independent reports of it crashing 2.5.1, and 2.5 (x86). It probably works
>on all versions of Solaris.
>
>To "fix" the denial of service:
>chmod go-x /usr/sbin/ping
>if you don't mind disabling Ping on your system.
In my quick testing, it seems that there is another workaround if:
1: You do not require multicast support, and
2: Have the opportunity to reboot your machine.
Just comment out the "route add 224.0.0.0 ..." in /etc/init.d/inetsvc and
reboot. Even just doing the 'route delete 224.0.0.0 ...' still allowed the
panic.
_________________________________________________________ Philip Kizer ______
pckizer@nostrum.com
