Microsoft Windows 95 Malformed IPX Ping Packet Vulnerability Patch v1.0 Description:
eliminates a security vulnerability which could be used to cause an affected system to fail, and depending on the number of affected PCs on a network, flood it with superfluous data. The affected system component generally is present only if it has been deliberately installed. The Microsoft IPX/SPX protocol implementation (NWLink) supports the IPX (Internetwork Packet eXchange) Ping command via the diagnostic port 0x456. Because of a flaw in the implementation of the protocol in Windows 95, NWLink in these systems responds to an IPX ping packet even when the source network address has been purposely modified to a broadcast address.
This could give a malicious user an opportunity to launch an attack by broadcasting a single ping request. Each affected PC that received the ping would respond to it, potentially resulting in a broadcast storm. In a large network, this could temporarily swamp the network’s bandwidth.
Moreover, upon seeing its own response, each affected machine would attempt to process it, triggering a scenario that would culminate in the machine’s failure. A machine that failed due to this vulnerability could be put back into service by rebooting it.
IPX is installed by default in Windows 95 if there is a network card present in the machine at installation time. Even when it is installed, malicious users' ability to exploit this vulnerability would depend on whether they could deliver a Ping packet to an affected machine. Routers frequently are configured to drop IPX packets, and if such a router lay between the malicious user and an affected machine, an attack could not be undertaken.
As a rule, routers on the Internet do not forward IPX packets, protecting intranets from outside attack, as well as machines connected to the Internet via dial-up connections.
The most likely scenario in which this vulnerability could be exploited would be by a malicious intranet user attacking affected machines on the same intranet, or malicious users on the Internet attacking affected machines on their cable modems or DSL subnets.