ICMP vulnerability in Windows 95 and NT 4.0
Privacy and Legal Notice
INFORMATION BULLETIN
H-78: ICMP vulnerability in Windows 95 and NT 4.0
July 7, 1997 22:00 GMT
PROBLEM: A vulnerability in the IP stack on Microsoft Windows systems
may allow a remote user to cause a networked system to freeze
if exploited (“denial of service”).
PLATFORM: Systems running Microsoft Windows 95, Windows NT 4.0
Workstation, and Windows NT 4.0 Server.
DAMAGE: If exploited, a remote user may be able to cause a
denial-of-service on a networked local machine. The machine be
made unresponsive and needs to be rebooted.
SOLUTION: Apply vendor patches described below.
VULNERABILITY Details of this exploit have been made publicly available and
ASSESSMENT: an attack can be successfully executed remotely.
Introduction
A vulnerability exists in Microsoft Windows 95 and Windows NT 4.0 Server and
Workstation operating systems that may lead to a frozen (unresponsive) system
if exploited. This denial-of-service attack occurs when a corrupt Internet
Control Message Protocol (ICMP) message is sent to a vulnerable system. A
series of packets are sent to a vulnerable system which is unable to assemble
the packets properly.
Problem
The operating system may stop responding because the IP stack is unable to
resolve the IP packet data that has incorrect offset information. Although
this exploit is similar to the Ping of Death attack that appeared earlier this
year, this attack uses ICMP instead of IP packets and is not based solely on
message size.
Solution
Microsoft has developed a local patch to updated the TCP/IP protocol stack to
correct the problem. Instructions for installing it are available from
Microsoft. CIAC recommends that you update your Emergency Repair Disk immedi-
ately.
For Windows NT 4.0 Server and Workstation:
Service Pack 3 must be installed first. Then the ICMP hotfix should be
applied. This file can be downloaded from Microsoft at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-
postSP3/icmp-fix
Windows 95:
For Windows 95 and OSR2, this issue is resolved by the file VIP.386 version
4.0.956 (6/30/97) and later. This file is included in the self-extracting
VIPUPD.EXE file and can be downloaded from:
ftp://ftp.microsoft.com/Softlib/MSLFILES/vipupd.exe
CIAC wishes to acknowledge the contributions of Microsoft and Russ Cooper for the
information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]