Microsoft Patches 1990s-Era 'Ping of Death' 128
CWmike writes "Microsoft on Tuesday issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed 'Ping of Death.' While other patched vulnerabilities we more serious, one marked 'CVE-2011-1871' brought back memories for nCircle's Andrew Storms. 'This looks like the Ping of Death from the early-to-mid 1990s,' he said. 'Then, when a specially-crafted ping request was sent to a host, it caused the Windows PC to blue screen, and then reboot.' Two decades ago, the Ping of Death (YouTube video demonstration) was used to bring down Windows PCs remotely, often as a way to show the instability of the operating system."
Re:I remember the ping of death (Score:5, Interesting)
I remember a few variations.
One, of course, was ping -f from a sufficiently fast pipe (or just an equally-slow pipe with better buffer management). I had a custom REXX script under OS/2 which took a username as input, and would finger each of the terminal servers of a local ISP, derive the IP address of that user, then issue a ping -f for that particular dialup user.
It would cause their PPP sessions to timeout, at which point they'd disconnect. And it was fun, because I actually knew the people who I was disconnecting.
Tougher (or farther) targets at other hosts would get a ping -f from a blistering-fast (hah!) shared FreeBSD machine with a T1 connection. If -f didn't do it alone, increasing the packet size always did. Sometimes, it seemed that different packet sizes (not just larger ones) would make it happen sooner.
Around the same time, it was discovered (not by me) that sending an ICMP ping packet containing "+++ATH0" would instantly disconnect any user with a cheap modem by very neatly instructing their modem to do exactly that.
This worked because Hayes (rest their souls) had a patent on requiring a one second delay between +++ (aka "enter command mode") and any subsequent commands (ATH0 hangs up the modem). Makers of cheap modems wanted to pay as few royalties as possible, and they got their wish.
On most premium modems, or most old modems, it wasn't a problem, since it was required to have a delay between "+++" and any other command. But during the early winmodem days, it was a blast: Those cheap modems instantly dropped to command mode, and immediately executed anything after that.
You tell it to hang up, and that's just what it does.
It wasn't even really necessary to use ATH0, either: any old AT command would work, and would leave the modem in command mode instead of data mode. +++ATLM2L3, for instance, would result in a lot of noise from the modem speaker until their session timed out...
The ATH0 trick could be accomplished with IRCII using /ctcp [target] PING +++ATH0 or more generally with ping -p 2B2B2B41544829 [target IP or hostname] from a suitable *nix host.
It was fun being a kid back then, with OS-agnostic ways to be annoying. (I've grown up just slightly since then...)
Re:Didnt bluescreen (Score:4, Interesting)
God damn the dial-up days where wild sometimes.
Fugganaye right. I shouldn't admit any of this, but I was into scrolling chat rooms* back in the mid-late 90s and it was the fucking Wild West. Winnukes and Portfloods for days and days. Javascript exploits and whatnot. People getting pWn3d for no good reason. You had to be patched and armed just to stay in the joint.
There was a guy that flexed his hax0r muscle at everyone, but especially gave me shit. Seriously unprovoked bullshit, following me from room to room, then later site to site. I could write a book on this, but basically through some elaborate social engineering of several people (including his school) I was able to determine his home address. I bribed a high school friend of mine who was going to a school in the next city over to go take a picture "of the white house at this address" and send it to me. Some low-tech scanning practices and some floppy disk work at a local Staples ensued.
The next time he fucked with me I posted the pic of his house in the chat room. I wish I had logged his responses, and the crying he did to my alt (the social engineering 'chick') over the next few days. He never messed with me or anyone else in the place again. It was a pretty good hack, and I dreamed guys like Kevin Poulsen would approve. But I actually felt pretty dirty afterwards.
*hotelchat ftw!
Re:Didnt bluescreen (Score:4, Interesting)
Yeah, the wild west days, I remember hanging around on IRC on #userfriendly where much of the crowd were of the IT types working in the .com boom which was very wild west itself. One night one of the regulars posted a message that she was on dial up and was being ping flooded by some guy with a cable modem, and asked someone ping flood the guy off the net so she could upload an important file before it was due in a few minutes. Well the moments afterward were one of those things where you look back and think, hey maybe too many people decided to unleash too much fire power at once. Sure there were those that were sitting on T1, T3, etc. lines at the time that reacted to the call within seconds, but there were also a few BIG GUNS aimed at this lowly cable modem user's IP within seconds. Think core routers from big name national ISP's, and .COM giants. When the smoke cleared a minute or two later everyone realized not only was the cable modem user in question off the net, but so was his cable provider.
Re:POD has long since been patched. (Score:4, Interesting)
Those of us who are old enough remember the "portions copyright the regents of the University of California Berkeley" (or words to that effect) that used to be part of the Windows legal declarations from 95 onward. It has been considered common knowledge that their pre-Vista TCP/IP stack was taken from BSD [wikipedia.org], as was their FTP executable [terminally...herent.com]
The "common knowledge" here is an euphemism for myth. Back in Windows NT 3.1 (!) MS licensed a TCP/IP stack from Spider. That *may* have been based partially or entirely on the BSD stack of the time. However, as of Windows NT 3.5 and Windows 95 that stack had been replaced by Microsofts own stack. Some of the utilities (ftp client, ping?) were still the original BSD utilities, or based on them. The network stack has not been BSD since Windows NT 3.1.
If you're going to claim otherwise, you should offer some citations please.
here you go: https://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357 [kuro5hin.org]
Nope, the "from the ground up" rewrite was for Vista [slashdot.org], although they had previously partially rewritten the stack for Win 2K and for XP I believe.
Incorrect, it had been previously rewritten for Windows NT 3.5. See above.
But if you were paying attention back during the interminable Vista beta process, you would've remembered the noise about those old TCP/IP vulnerabilities, solved long ago, that Microsoft re-introduced with their new stack.
Citation? or should I write
If you're going to claim otherwise, you should offer some citations please"
Re:POD has long since been patched. (Score:4, Interesting)
I am (or was, its been 15 years) actually pretty familiar with Spider's code and it wasn't even close to to the BSD stack.
They probably lifted constants and structures inherent to TCP/IP and might have cut-n-pasted a few code snippets like checksum calculations, maybe even some higher-level stuff to emulate sockets on top of the STREAMS Transport Layer Interface. But the heart and soul of the BSD stack is the mbuf structure and that didn't exist at all anywhere in the Spider code. Not just a simple search-and-replace with a different data structure, it was an entirely different data flow because STREAMS had requirements that couldn't just be "bolted on" to the BSD stack.
Totally sucked for me because everything I knew about BSD network internals was useless there - and everything I learned about Spider's code while on that job became practically useless the second I moved on as Sun's own STREAMS implementation in Solaris, which was basically the only mainstream use of STREAMS, had nothing to do with Spider.