1

If I remember correctly there is an ICMP attack whereby you can embed malicious code and it gets read/executed, causing the problem (similar to SQL injection).

Are there any further/more dangerous attacks when the computer handling the packet can write data to the packet, rather than just reading the packet? I can only think of redirecting the packet or spoofing it....

It seems like read-vulnerabilities affect the computer handling the packet whereas write vulnerabilities affect other computers.

ewanm89
  • 2,043
  • 12
  • 15
Kevin J
  • 11
  • 2
  • You mean a buffer overflow of the network stack encoded in the ICMP packet? Used to affect a whole load of Cisco routers making for an easy DOS attack? – ewanm89 Sep 28 '12 at 20:58
  • I think so, I remember something that ICMP has additional space within the header for an optional field and data could be embedded. I am just trying to work out if providing write access would be any more dangerous than the already-existing read access for a packet reader. Everything dangerous seems to be possible with the default read access! – Kevin J Sep 28 '12 at 21:09

2 Answers2

2

I don't know of any such attack. That doesn't mean no such attack ever existed -- just that nothing pops to mind at the moment.

There are a few others that are related, which you might possibly have been thinking of:

Back in the day, the "ping of death" was a malicious ICMP packet that crashed the recipient computer, but it did not allow execution of malicious code. Cisco routers were also vulnerable to an ICMP-related denial-of-service vulnerability, but that didn't allow malicious code execution, either.

The closest example I can think of is the SQL Slammer worm. Slammer was a single-packet worm: all it took to infect a vulnerable machine was to send a single malicious UDP packet. The worm exploited a vulnerability in MS SQL Server, which accepted packets via UDP and had a buffer overflow vulnerability in the code that parsed this packet. This vulnerability did allow execution of malicious code -- but it was not over ICMP.

None of these are similar to SQL injection in any way that I can think of.

D.W.
  • 98,420
  • 30
  • 267
  • 572
0

I believe you are thinking to the ping of death. Essentially this was a buffer overflow that could crash a computer, however it has been patched in most systems.

November
  • 505
  • 1
  • 5
  • 12
  • The "ping of death" does not allow malicious code injection, so it doesn't match what the original poster asked about. Yes, it has been patched long ago on all modern systems. – D.W. Sep 29 '12 at 01:44
  • Your right, my bad. I should have paid closer attention. – November Sep 29 '12 at 18:49