{"id":109016,"date":"2023-11-14T07:00:00","date_gmt":"2023-11-14T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=109016"},"modified":"2023-11-14T10:54:11","modified_gmt":"2023-11-14T18:54:11","slug":"20231114-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20231114-00\/?p=109016","title":{"rendered":"Starting on the other side of this airtight hatchway: Running a program that leaks memory"},"content":{"rendered":"

A security vulnerability report came in that said<\/p>\n

In the most recent Windows Insider Build, the ping<\/code> program has a small memory leak. This is normally not a problem because the ping<\/code> program runs for less than a minute before exiting, but if you run ping -t<\/code>, then it will ping the destination machine indefinitely until killed. This can be used as a denial of service if you just start a ping -t<\/code> and let it run. It leaks about a megabyte a day.<\/p><\/blockquote>\n

While it’s true that you could use it as a denial of service, it’s also not a very effective one, given that the memory leak is “only” a megabyte a day.<\/p>\n

Furthermore, in order for an attacker to exploit this, they need to gain the ability to run programs so they can run ping -t<\/code> and giggle with glee as the program slowly leaks memory.\u00b9<\/p>\n

Since this presupposes that the attacker can run a program with arbitrary command lines, the attacker may as well use something that consumes memory at a far faster pace:<\/p>\n

for \/L %i in (1,1,1000000) do start eventvwr.exe\r\n<\/pre>\n
This  launches a million copies of Event Viewer<\/a>, which will certainly mess up the system faster than a one-megabyte-a-day leak.<\/p>\n
What we have is a bug but not a security bug. The development team fixed the memory leak, so this bug didn’t exist for very long.<\/p>\n
\u00b9 In practice, the program will have to leak several gigabytes of memory before the system will start to suffer, so the attacker is in for a wait of several years before their denial-of-service attack finally bears fruit and the system owner will have to either kill the rogue ping<\/code> process or reboot the system. “With this fiendish attack, I can mildly inconvenience somebody a dozen years from now!” (Assuming they leave the system running without rebooting.)<\/p>\n","protected":false},"excerpt":{"rendered":"
There are a lot of things you can do to consume memory.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-109016","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"
There are a lot of things you can do to consume memory.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=109016"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109016\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=109016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=109016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=109016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}