It's been a while since I am in the computer security discipline and I remember the old Ping Of Death attack. How cool was it ?! At that time breaking the stack was as simpe as breaking the modelling assumptions, for example breaking the stack in 1997 was as simple as sending to the target stack a unexpected lenght in the ICMP packet ! And, yes, I do remember the time being where a malformed source and destination address caused the smurf attack. After those implementation mistakes, developers, engineers and the developing frameworks became more and more sophisticated, became more and more complete in term of security checking.
It is a long time since I saw another mistake like thise ! ... Untill today ! Today I've read a post talking about another implementation bug in the TCP/IP stack made by Intel enginners. The writer shows how the Intel card ( 82574L ) shouts down if a specific value (0x32) is placed into a specific address ( 0x47F). Which basically means if the ASCII "2" is into a specific address in the sent stream.
Let's take a closer look to the bytesteram:
Image From here
Shutting down an ethernet card could be pretty annoying for a system, in fact you need to reboot your entire machine before getting the card workgin bback. Further analysis showed that different values placed into the same address, change the card behavior.
So hard to find so easy to test. When you play with networks captures and/or with networks crafters the big amount of data let the bug hunter's work be pretty difficult and annoying. Contrary a lot of tools have been developed for testing the network behavior so once you found the bug to reproduce it would be pretty easy as simple as: "ping -p 32 -s 1110 x.x.x.x"
Another fun story to tell, another good example showing why there is the need of security evangelists to increse the security awareness, another good example showing that bugs and eventually vulnerabilities are always "behind the corner" :D. It is worthy to remember.