Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.
Ping of Death (CVE-1999-0128) is a classic denial-of-service (DoS) vulnerability that can crash vulnerable systems by sending malformed ICMP packets. This attack leverages the improper handling of oversized ICMP packets, leading to a buffer overflow or other memory corruption issues, ultimately causing a system crash or instability.
Step 1: Packet Crafting: The attacker crafts an ICMP echo request (ping) packet. The packet's payload is deliberately oversized, exceeding the maximum allowed ICMP packet size (typically 65,535 bytes).
Step 2: Packet Delivery: The crafted ICMP packet is sent to the target system's IP address.
Step 3: Packet Reception: The target system receives the oversized ICMP packet.
Step 4: Processing Error: The target system's network stack attempts to process the oversized packet. Due to the lack of proper input validation, the system attempts to allocate memory for the packet.
Step 5: Buffer Overflow/Memory Corruption: The system either attempts to allocate an insufficient buffer, or the processing logic fails to handle the oversized packet correctly. This leads to a buffer overflow or other memory corruption.
Step 6: System Crash/Unresponsiveness: The memory corruption corrupts critical system data or code, leading to a system crash, kernel panic, or complete unresponsiveness, effectively causing a denial-of-service (DoS).
Root Cause: The vulnerability stems from a lack of proper input validation and error handling in the network stack of affected operating systems. Specifically, the network stack fails to correctly handle oversized ICMP echo request packets. When a system receives an ICMP packet larger than the maximum allowed size (typically 65,535 bytes, including the IP header), it may attempt to allocate insufficient memory to process the packet, leading to a buffer overflow. This overflow can overwrite critical memory regions, causing the system to crash or become unresponsive. The flaw lies in the network driver's or ICMP processing code's failure to properly check the packet size before attempting to process it. This allows an attacker to craft a malicious packet that exceeds the allocated buffer, overwriting adjacent memory and potentially executing arbitrary code (though this is less common with Ping of Death). The vulnerability is exacerbated by the lack of robust error handling, which fails to gracefully manage the oversized packet and prevent the system from crashing.