COMMAND

    ping

SYSTEMS AFFECTED

    Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6-beta2, 2.5 (x86)

PROBLEM

    The following  represents kind  of DoS.   It's a  way to  reboot a
    Solaris box, and is exploitable  by anyone with an account  on the
    system since ping is setuid root.

        ping -sv -i 127.0.0.1 224.0.0.1

    On solaris  2.5, this  causes the  machine to  reboot.   There are
    also independent reports of it crashing 2.5.1, and 2.5 (x86).   It
    probably works on  all versions of  Solaris.  Credit  goes to Adam
    Caldwell.

SOLUTION

    The  latest  version  of  Solaris  2.6  has  been  fixed and SunOS
    4.1.3_U1 and 4.1.4 are not affected.

    Patches are:

        OS version      Patch ID
        __________      ________
        SunOS 5.5.1     103630-09
        SunOS 5.5.1_x86 103631-09
        SunOS 5.5       103169-12
        SunOS 5.5_x86   103170-12
        SunOS 5.4       101945-52   (to be released)
        SunOS 5.4_x86   101946-46   (to be released)
        SunOS 5.3       101318-89   (to be released)

    and can be obtained from:

        ftp://sunsolve1.sun.com/pub/patches

    Mark Henderson come up with best workaround.  Try:

    /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0

    and  add  the  statement  to  /etc/init.d/inetinit  to  effect the
    workaround at  each reboot.   Sun has  tested the  workaround, and
    has found no negative side effects.  Here's a script (by Brad
    Powell):

===============================cut here==================================
#!/bin/sh
# bpowell 06/21/97  generic titan wrapper for:
# add the ndd line to disable response to echo  modifies S69inet
#
# Note: none

# version 0.1
#
# setup
PATH=/usr/ucb:/bin:/usr/bin:/sbin
MYNAME=`basename $0`

# Check for execution by root

    if [ `/usr/xpg4/bin/id -un` != root ]
    then
        echo " "
        echo >&2 "$MYNAME: error: must be run as root."
        echo " "
        exit 1
    fi

#   Introduction

# cat << EOF
#
# This disables ip_respond_to_echo_broadcast so that specific ping crashes
# don't work
# The program modifies /etc/rc2.d/S69inet
#
# ndd -set /dev/ip ip_respond_to_echo_broadcast 0
# EOF

# echo press enter to continue"\c"
# read YN

if test -f /etc/rc2.d/S??inet
then
                echo "  Now adding the new ndd command"

                ed - /etc/rc2.d/S??inet <<- !
                g/tcp_old_urp_interpretation
                a
                ndd -set /dev/ip ip_respond_to_echo_broadcast 0
                .
                w
                Q
                !

        echo "   Modifcations to rc2.d complete"
fi
        echo "   Done."

    Other solutions are:
        - use wrapper
        - use traceroute
        - compile BSD ping