OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Microsoft Security Bulletin (MS00-054)
From: Jacek Lipkowski (sq5bpfROCK.ANDRA.COM.PL)
Date: Mon Aug 14 2000 - 11:31:30 CDT

regarding the "Malformed IPX Ping Packet" Vulnerability:

- it would be nice if Microsoft provided some credit to the author (me ;),
and a link to where the relevant information was posted, see:
rock.andra.com.pl">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-01&msg=Pine.LNX.4.10.10006021758390.16250-200000rock.andra.com.pl
or search for the subject 'ipx storm' on bugtraq

- it should also be noted, that other ipx stacks may be vulnerable,
netware (3.x and 4.x tested) for example hapily replies to these packets
(and jumps to high cpu utilisation), as do probably other ipx-enabled
devices (anybody have any print servers to test?), i've seen some windows
nt servers respond to these packets (but not all - i can't reproduce this
at work) as to why this is an issue, see the next point:

- in the faq that Microsoft provided, it is stated:

> How long would the broadcast storm last?
>
> It would be brief first of all, because the responses wouldnt trigger
> any additional responses, and second because each affected machine
> would fail after seeing its response.

it doesn't have to last for a short time, set the source address to a
netware server (or any other machine that answers ipx pings, and won't
hang when it gets them), and the destination to broadcast, send the
packet, and now you have a relatively long lasting broadcast storm
(several minutes). the windows machines won't die, because they don't have
to respond to their own packets.

jacek