Microsoft's Ping.exe Allows Local Users to Cause Certain Applications to Crash
SecurityTracker Alert ID: 1001255|
SecurityTracker URL: http://securitytracker.com/id/1001255
(Links to External Site)
Date: Apr 6 2001
Denial of service via local system|
Exploit Included: Yes |
Version(s): tested on Windows NT4 Workstation with Service Pack 4|
The version of Ping.exe that is shipped with Windows NT and possibly other Windows operating systems contains a vulnerability that allows a local user to crash certain other services, including Outlook Express & Dial-up Networking.|
It is reported that if a hostname of 112 characters or longer is used with ping, an application error will occur in RASMAN.exe. The vulnerability will apparently not be triggered if the user has made a dial-up connection since the last reboot.
Once triggered, OutlookExpress and Dial-up Networking will not operate until the system is rebooted.
A local user can use the ping.exe application to cause certain local applications to crash.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Local Bufferoverflow/Vulnerability in Ping.exe|
Made in Holland
PCP/A #0009 (pr0ph)
Local Bufferoverflow/Vulnerability in Ping.exe
The version of Ping that is shipped with Windows NT (possibly works on 9x
and ME too) contains a buffer that can be overflowed which will result (once
again) in the Denial of Service of: Outlook Express & Dial-up Networking.
I discovered similair Bugs (they will have the same result as this one) in
Telnet.exe and in OE-Address Book. Look for PCP/A #0006 (Local
Bufferoverflow/Vulnerability in Telnet.exe) and PCP/A #0007 (Local
Bufferoverflow/Vulnerability in OE-Address Book) on the Vuln-Dev archives.
If you ping a hostname of 112 chars or longer (tested with "X" chars) you
will receive the following "Dr. Watson for Windows NT" error:
"An application error has occured and an application error log is being
Exception: access violation (0xc0000005), Address: 0x00610061"
If you ping 112 or more numbers instead of letters the Bug will not get
triggered. Marius Jacobsen suggested that this might be because its related
to the resolution of the hostname.
This bug will not get triggered if you made a dial-up connection since your
If you try to start OutlookExpress or Dial-up Networking after this you will
notice that they both won't start. They wont start until you rebooted your
system. Logging in as another user without rebooting will NOT help. Note
that if you triggered the bug you will have to reboot your system before you
will be able to trigger/reproduce it again.
This is tested on Windows NT4 Workstation with Service Pack 4.
Try it yourself en please let us know the results (if they vary from the
results mentioned above). Please mail us at:
Special_Projects@cazzz.demon.nl (The Lab)
Industrial_Strength@cazzz.demon.nl (The Exploiters)
Another fine Planet Cazzz Production. In association with The Nations Top.
We cannot be held responsible for your actions, but you can try. Made in
Holland. PCP/A #0009 (pr0ph)
We want to say hell0 to all the Crackers, the Hackers and the Phreax. We
want to say hell0 to all the people in this place. We want to say hell0 to
all the Sinners and 31337. We say hell0 to all the people in the world...
[this will be the last bug in this "series" that I mention on this list,
there are probably more ways to trigger this bug, but I consider it
-No Strezzz Cazzz, Powered By UN0X
Vengeance is here, its time to ressurect. Anger without ph34r: The Bulld0zer
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: firstname.lastname@example.org