OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: snmp problems still alive...
From: Michal Zalewski (lcamtufAGS.PL)
Date: Mon Feb 14 2000 - 13:00:08 CST

Days ago, there was a discussion about world-readable snmp communities,
some people thought it was bad enough. Amazingly, I've found that a lot of
network devices (such as intelligent switches, WAN/LAN routers, ISDN/DSL
modems, remote access machines and even some user-end operating systems)
are by default configured with snmp enabled and unlimited access with
*write* privledges. It allows attacker to modify routing tables, status of
network interfaces and other vital system data, and seems to be extermely
dangerous. To make things even worse, some devices seems to tell that
write permission for given community is disabled, but you can still
successfully write to it - and other devices won't let you to set up snmp
access at all (eg. some modems and switches).

Here's brief list of devices I've found with world-writable communities -
and names of these communities, respectively:

- 3com Switch 3300 (3Com SuperStack II) - private
- Cray MatchBox router (MR-1110 MatchBox Router/FR 2.01) - private
- 3com RAS (HiPer Access Router Card) - public
- Prestige 128 / 128 Plus - public
- COLTSOHO 2.00.21 - private
- PRT BRI ISDN router - public
- CrossCom XL 2 - private
- WaiLAN Agate 700/800 - public
- HPJ3245A HP Switch 800T - public
- ES-2810 FORE ES-2810, Version 2.20 - public
- Windows NT Version 4.0 - public
- Windows 98 (not 95) - public
- Sun/SPARC Ultra 10 (Ultra-5_10) - private

This list is for sure uncomplete, and might be inaccurate - it has been
created after extensive, but only remote tests on devices outside my
network (usually, these machines are inside ISP networks).

On following devices, some parameters can be changed, but some can't - so
it seems to be less dangerous:

- HP LaserJet (EEPROM G.08.03) - public
- PICO router - public
- Xyplex Router 6.1.1 - private

Best solutions:

- try to disable unlimited snmp access, if possible, then check if it
  really worked,
- ask vendor for firmware upgrade,
- do not route traffic addressed to snmp-enabled devices from outside.

Other systems: Cisco and Motorola routers, Netware, most Unix boxes are
not vulnerable.

Exploit code:

$ snmpset hostname {private|public} interfaces.ifTable.ifEntry.ifAdminStatus.1 i 2

...should bring 1st network interface on remote machine down... for more
interesting options to be set, execute:

$ snmpwalk hostname {private|public}

_______________________________________________________
Michal Zalewski * [lcamtufags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=