COMMAND

    IPX/SPX

SYSTEMS AFFECTED

    Win9x

PROBLEM

    The following is based on a Security  Bulletin from the Microsoft.
    The Microsoft  IPX/SPX protocol  implementation (NWLink)  supports
    the IPX  Ping command via  the diagnostic port 0x456.  Because  of
    a  flaw  in  the  implementation  of  the  protocol in Windows 95,
    Windows 98 and Windows 98 Second Edition, NWLink in these  systems
    will respond to  an IPX ping  packet even when  the source network
    address has been purposely modified to a broadcast address.   This
    would give a malicious user an opportunity to launch an attack  by
    broadcasting a single  ping request -  each affected machine  that
    received the ping would respond to it, potentially resulting in  a
    broadcast storm.  In a large network, this could temporarily swamp
    the  network's  bandwidth.   In  addition,  upon  seeing  its  own
    response,  each  affected  machine  would  attempt  to process it,
    triggering  a  scenario  that  would  culminate  in  the machine's
    failure.  A  machine that failed  due to this  vulnerability could
    be put back into service by rebooting.

    IPX  is  not  installed  by  default  in  Windows 98 and 98 Second
    Edition, and is only installed  by default in Windows 95  if there
    is a  network card  present in  the machine  at installation time.
    Even when IPX is installed, a malicious user's ability to  exploit
    this  vulnerability  would  depend  on  whether he could deliver a
    Ping  packet  to  an  affected  machine.   Routers  frequently are
    configured to drop IPX packets,  and if such a router  lay between
    the malicious user  and an affected  machine, he could  not attack
    it.   Routers  on  the  Internet,  as  a  rule, do not forward IPX
    packets, and  this would  tend to  protect intranets  from outside
    attack, as well as  protecting machines connected to  the Internet
    via dial-up connections.  As discussed in the FAQ, the most likely
    scenario in which this  vulnerability could be exploited  would be
    one in which a malicious user on an intranet would attack affected
    machines on the same intranet, or one in which a malicious user on
    the Internet attacked affected machines  on on his cable modem  or
    DSL subnet.

    Exploit?  Take a look at:

        http://oliver.efri.hr/~crv/security/bugs/Others/ipx2.html

    Jacek Lipkowski found this originally.

SOLUTION

    Patch availability:

      - Microsoft Windows 95: http://download.microsoft.com/download/win95/Update/8982/W95/EN-US/265334US5.EXE
      - Microsoft Windows 98 and Windows 98 Second Edition: http://download.microsoft.com/download/win98/Update/8982/W98/EN-US/265334USA8.EXE