Re: New M$ bug being exploited

Jeff Woods ( )
Tue, 01 Jul 1997 09:37:06 -0400

Of more vital concern to me than the SSPING threat is the threat hidden on
a subpage of the one mentioned, as follows:

There were a few things I thought I might mention after reading your bit on
microsoft coding to RFCs and FYIs and in regard to SSPING. These ping
problems as you know have been around for a while ranging from the ping of
death to the newer SSPING but I have not seen mention of another exploit
found about a year ago with ping.

And from memory this one sits right in the middle of SSPING and Ping Of
Death. Around the 643?? mark as I said this is from memory but I can look
it up for you or you can read it your self. One of the phrack authors had
been playing with ping slowly working his way up the scale in size and
fragmentation when he noticed that pinging a wintel machine with a packet
in size between the other two returned the victims login name and password.
Using a hex editor { I used Xtree Gold } to look at the debug contents of
the returned packet you can in the ASCCI colum as plain as day actually see
the users login name and password. Why ICMP stores that info in its buffers
or indeed if thats where it comes from is beyond me and I have not had time
yet to look into it. But the exploit was originally found to work only on
certain stacks. I set up another machine here and tried numerous stacks
including the DUN that comes with NT/Win95 and plus pack all with success.


This could be VERY ugly -- NOTHING would be password secure on Wintel

Microsoft's site is down yet again today (likely a victim of SSPING) so I
was unable to contact them with this information. I'll be saving it,
though, as I think this one, if true, may be the WORST security hole ever
found in Mickeysoft's OS's, and it's only hidden as an addendum in a side
page of the discoverer of SSPING!

At 08:46 PM 6/30/97 -0500, you wrote:

>Check out: