Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: snmp problems still alive...
From: gus () GAUSS WORLDINTER NET (Gus Huber)
Date: Tue, 15 Feb 2000 16:51:50 -0600


It should be noted in this discussion that MANY of these devices also
through SNMP querys can be completely compromised by either sending or
recieving configuration files from arbritrary locations.  Both cisco and
ascend products support downloading and uploading of configuration files
via tftp from an SNMP query.  From that point it is trivial to sniff
network trafic.  AFAIK, ascend still ships with the SNMP communitys set as
public for read-only, and write for RW.  Also many hardware devices do not
log querys sent to invalid SNMP communitys in SNMPv1, so it is a simple
game of brute force to get those communitys.

To illustrate the damage of leaving your ascend's with default communitys,
there is a small program that will parse the data from the ascend sniffing
debug mode that can be found at <http://k0dez.pbx.org/stuff/ascenddump.c>.
(I think it is there)

SNMP should be disabled unless needed, and if it is should be firewalled
to the appropriate means...

$0.02.....

gus huber <gus () worldinter net> some punk kid with a bunch of routers

On Mon, 14 Feb 2000, Michal Zalewski wrote:

Days ago, there was a discussion about world-readable snmp communities,
some people thought it was bad enough. Amazingly, I've found that a lot of
network devices (such as intelligent switches, WAN/LAN routers, ISDN/DSL
modems, remote access machines and even some user-end operating systems)
are by default configured with snmp enabled and unlimited access with
*write* privledges. It allows attacker to modify routing tables, status of
network interfaces and other vital system data, and seems to be extermely
dangerous. To make things even worse, some devices seems to tell that
write permission for given community is disabled, but you can still
successfully write to it - and other devices won't let you to set up snmp
access at all (eg. some modems and switches).

Here's brief list of devices I've found with world-writable communities -
and names of these communities, respectively:

- 3com Switch 3300 (3Com SuperStack II) - private
- Cray MatchBox router (MR-1110 MatchBox Router/FR 2.01) - private
- 3com RAS (HiPer Access Router Card) - public
- Prestige 128 / 128 Plus - public
- COLTSOHO 2.00.21 - private
- PRT BRI ISDN router - public
- CrossCom XL 2 - private
- WaiLAN Agate 700/800 - public
- HPJ3245A HP Switch 800T - public
- ES-2810 FORE ES-2810, Version 2.20 - public
- Windows NT Version 4.0 - public
- Windows 98 (not 95) - public
- Sun/SPARC Ultra 10 (Ultra-5_10) - private

This list is for sure uncomplete, and might be inaccurate - it has been
created after extensive, but only remote tests on devices outside my
network (usually, these machines are inside ISP networks).

On following devices, some parameters can be changed, but some can't - so
it seems to be less dangerous:

- HP LaserJet (EEPROM G.08.03) - public
- PICO router - public
- Xyplex Router 6.1.1 - private

Best solutions:

- try to disable unlimited snmp access, if possible, then check if it
  really worked,
- ask vendor for firmware upgrade,
- do not route traffic addressed to snmp-enabled devices from outside.

Other systems: Cisco and Motorola routers, Netware, most Unix boxes are
not vulnerable.

Exploit code:

$ snmpset hostname {private|public} interfaces.ifTable.ifEntry.ifAdminStatus.1 i 2

...should bring 1st network interface on remote machine down... for more
interesting options to be set, execute:

$ snmpwalk hostname {private|public}

_______________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]