One of many first low-level community instruments that any laptop consumer learns about is the venerable ping
utility.
Named after the eponymous sound impact from any and each old-school struggle film scene involving submarines, the command is a metaphorical echo (see what we did there?) of the underwater model of RADAR generally known as SONAR.
You ship out a p-i-n-g (extra like a d-o-i-n-n-n-n-g noise, in actuality) into the briny depths, and by measuring how lengthy it takes for its eerie echo to come back again to you, and by estimating the pace of sound within the surrounding ocean, you’ll be able to compute the space to the thing that produced the echo.
Intriguingly, given that you simply’ve most likely heard the abbreviation TCP/IP used as a generic description of the protocol glue that powers the web, ping
doesn’t technically use TCP/IP in any respect.
Actually, TCP/IP is brief for transmission management protocol over the web protocol, and refers to a reasonably high-level mechanism for sending knowledge over the web in such a method that the community itself places in lots of the “did that really work correctly?” effort for you.
For instance, in TCP connections, any chunks of information you ship are assured both to reach intact on the different finish or to trigger an error so they didn’t make it.
Moreover, even when completely different knowledge chunks find yourself taking completely different routes throughout the web (for instance because of load balancing, non permanent outages, or different recoverable errors), and even when some chunks take longer to reach than others, TCP knowledge will likely be accurately buffered up and offered in the suitable order on the different finish.
Ping is completely different
The ping
command, nonetheless, is often used to confirm if a pc you’re fascinated by is on-line in any respect, particularly if it’s not accepting the form of high-level TCP connections you’d anticipate, similar to receiving e mail or permitting SSH logins.
This rapidly helps you identify whether or not an outage is prone to be as a result of community or the server itself happening, or because of particular person companies working on that server failing to start out accurately.
Consequently, ping
makes use of a a lot lower-level protocol than TCP.
Certainly, ping
doesn’t even use TCP’s extra informal cousin UDP, brief for consumer datagram protocol, which is a method of transmitting knowledge chunks that’s quick and simple, however is popularly known as send-and-hope (or, in case you are a cynical kind, as spray-and-pray).
UDP itself doesn’t inform you whether or not your knowledge received to the opposite finish or not, and even when it arrives intact, UDP doesn’t hold monitor of the order wherein your packets had been initially despatched, so it may’t rearrange them on the different finish in the event that they get there out of sequence.
Ping
, for what it’s price, makes use of a very-low-level-indeed protocol, specifically designed for troubleshooting and community reconfiguration functions, generally known as ICMP, or web management message protocol.
Usually dealt with proper within the working system kernel, in order that ICMP/IP packets are nearly sure to get via even when no higher-level networking software program has come up accurately, ICMP notably consists of two particular message sorts:
- Sort 0x08. Formally referred to as
ICMP Echo
, this form of packet is often referred to as an Echo Request. It’s what theping
program sends out as a way to probe for lively computer systems on the community. - Sort 0x00. Formally referred to as
ICMP Echo Reply
, this packet sort is precisely what it says. A pc that’s alive, on-line, and never configured to dam ICMP Echo visitors is meant to ship this form of packet straight again to the pc that requested it.
Like this:
$ ping -c 3 -p 4E414B45445345435552495459 nakedsecurity.sophos.com PATTERN: 0x4e414b45445345435552495459 PING news-sophos.go-vip.internet (192.0.66.227) 56(84) bytes of information. 64 bytes from 192.0.66.227 (192.0.66.227): icmp_seq=1 ttl=53 time=84.0 ms 64 bytes from 192.0.66.227 (192.0.66.227): icmp_seq=2 ttl=53 time=85.1 ms 64 bytes from 192.0.66.227 (192.0.66.227): icmp_seq=3 ttl=53 time=84.8 ms --- news-sophos.go-vip.internet ping statistics --- 3 packets transmitted, 3 obtained, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 84.025/84.644/85.062/0.446 ms
To see a ping
in motion at a barely decrease stage, we’ll use the Lua code that yow will discover on the finish of the article to assemble an ICMP Echo packet of our personal, and to learn the reply that comes again, if any:
$ sudo luax ping.lua nakedsecurity.sophos.com Sending ICMP ECHO request to 192.0.66.227 --> 00000000 08 00 03 02 bb 5a 6f 1d 50 69 6e 67 52 65 71 75 |.....Zo.PingRequ| 00000010 65 73 74 4d 65 73 73 61 67 65 20 42 42 35 41 36 |estMessage BB5A6| 00000020 46 31 44 |F1D | Acquired back--> 00000000 45 00 00 37 f6 af 00 00 35 01 94 7f c0 00 42 e3 |E..7....5.....B.| 00000010 XX XX XX XX 00 00 0b 02 bb 5a 6f 1d 50 69 6e 67 |.........Zo.Ping| 00000020 52 65 71 75 65 73 74 4d 65 73 73 61 67 65 20 42 |RequestMessage B| 00000030 42 35 41 36 46 31 44 |B5A6F1D |
By the best way, we would have liked to make use of sudo
above to run our script with superuser privileges, as a result of we created what’s generally known as a uncooked IP socket – one that may be crafted into any underlying format we like, together with TCP, UDP and, as wanted right here, ICMP.
On many Linux/Unix programs, the ping
command provided by your distro works with out explicitly being given root privileges, often as a result of it’s put in with particular safety capabilities, or with its setuid
flag set, that means it begins off with working beneath a distinct consumer account than the consumer who ran it.
Effectively-designed ping
packages, after all, will mechanically discard their further privileges as soon as they’ve opened up the uncooked socket they want.
We omitted this privilege-dropping code from our pattern script for the sake of brevity. You should use the posix.unistd.setpid()
operate to modify to an unprivileged account after creating the socket, however earlier than sending or receiving any knowledge.
Inspecting the reply
As you would possibly recognise within the knowledge dump from our script above, the community socket operate we’re utilizing to learn again knowledge from the responding server consists of not solely the ICMP Echo Reply knowledge, but additionally the low-level IP (web protocol headers) within the underlying packet.
We haven’t tried to parse or in any other case course of this knowledge, however the FreeBSD ping
program wants to take action as a way to make sense of the reply, together with making sense of any error messages that come again.
If the ping
will get rejected ultimately, the Echo Reply will usually embrace not solely its personal IP headers (as seen above) but additionally a reference copy of the IP headers and the ICMP knowledge that appeared within the authentic outbound request.
IPv4 packet headers often look very similar to you see above, the place the IP headers begin with 45 00 00 37...
and proceed for 20 bytes in complete, as much as and together with the bytes proven as ...XX XX XX XX
, which is the IP handle of my laptop computer.
Like this:
00000000 45 00 00 37 f6 af 00 00 35 01 94 7f c0 00 42 e3 |E..7....5.....B.| 00000010 XX XX XX XX |.... | IP model and header size: 0x45 (4 = IPv4, 5 = 5 32-bit phrases, i.e. 20 bytes Service sort and congestion knowledge: 0x00 Whole size of packet: 0x0037 (decimal 55) Sequence info: F6 AF 00 00 Time-to-live (hops left): 0x35 (decimal 53) Protocol sort: 0x01 (ICMP) Checksum: 0x947F (decimal 38015) Sending laptop's IP quantity: C0 00 42 E3 (192.0.66.227 = nakedsecurity.sophos.com) Recipient's IP (my laptop computer): XX XX XX XX (REDACTED = my very own IP quantity)
FreeBSD’s ping
programmers, it appears, assumed that headers of this kind would, certainly, all the time be precisely 20 bytes lengthy, based mostly on that header-length worth within the first byte of 0x45
, denoting IPv4 (0x4?
) with a 5-DWORD (0x?5
), or 20-byte, header.
With simply 20 bytes to fret about, the programmers allotted fixed-size buffers on the stack the place they might make a copy of the IP headers within the reply, plus any embedded IP headers from the unique request, if there was an error situation to deal with.
You may guess the place that is going.
That first byte within the IPv4 header can legally have any worth from 0x45
(the minimal header measurement of 5 DWORDs, or 20 bytes, as proven) as much as 0x4F
(denoting 15 DWORDs, as a result of 0xF is decimal 15, or 60 bytes of header knowledge in complete), thus neatly permitting for an non-obligatory further 40 bytes of header knowledge.
These uncommon, however authorized, further header bytes can be utilized for numerous funky and strange “options” with curious names similar to Selective Directed Broadcast, Experimental Move Management and Upstream Multicast Packet – issues that we’ve heard of however by no means knowingly used, and even seen.
Beware cybercriminals who put you to the check
As you’ll be able to think about, provided that these further fields are nearly by no means used, you would possibly by no means see an IPv4 packet with something aside from 0x45
firstly, and with 20 bytes of header knowledge in complete, until you’ve run right into a bunch of cybercriminals who’re able to put you to the check.
Sadly, there’s not a lot to cease an attacker from rigging up a server that guesses whether or not you’re utilizing FreeBSD, and intentionally generates outsized ICMP/IP Echo Reply packets as a way to provoke a stack buffer overflow inside your ping
program.
If ever you test to see if their server is lively (which you would possibly do even, or maybe particularly, for those who assume it’s suspicious!), you can be focused with a booby-trapped reply.
At finest, your ping
program will crash; at worst, nonetheless, because the FreeBSD safety advisory generously admits, “it could be potential for a malicious host to set off distant code execution in ping.”
Happily, because the FreeBSD authors additionally level out, “[t]he ping course of runs in a functionality mode sandbox on all affected variations of FreeBSD and is thus very constrained in the way it can work together with the remainder of the system on the level the place the bug can happen.”
In different phrases, you positively have to patch, however the dangers might be thought of modest.
Notably, the ping
program is just not solely locked in a sandbox, however isn’t working as root when the buggy code will get reached, as confirmed within the safety advisory: “When ping
runs, it creates the uncooked socket wanted to do its work, after which revokes its elevated privileges.”
As described above, superuser powers are required solely to accumulate a uncooked IP socket from the working system, to not use the sendto()
and recvfrom()
capabilities on that socket afterwards.
This bug has been given the official identifier CVE-2022-23093; it’s documented within the safety advisory FreeBSD-SA-22:15.ping.
What to do?
- When you’re a FreeBSD consumer, merely replace the affected releases (FreeBSD 12 and FreeBSD 13) to their newest variations, the place this bug is mounted.
- When you’re a community programmer, all the time guarantee that you’ve got accounted for packet headers that might point out uncommon measurement variations. The truth that you’ve by no means seen any variation your self doesn’t cease you going through a packet tomorrow that’s out-of-the-ordinary but completely authorized.
- When you’re a community supervisor, think about blocking IPv4 packets with IP headers that aren’t 20 bytes in measurement. When you genuinely appear to want to permit some software program merchandise to make use of uncommon IPv4 header choices, think about logging these uncommon packets to study why.
Take care on the market!
EXAMPLE CODE TO DEMONSTRATE PING TRAFFIC