Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Router worm exploiting poor SNMP security.
From: N Catlow <n.catlow () ERIS DERA GOV UK>
Date: Thu, 14 Dec 2000 18:07:34 +0000
Additional information
If you know the SNMP read/write community it should 
be no problem to upload files to Nortel routers. This is 
done today with Site Manager. I'm guessing this is 
done by enabling tftp.


Hmm yes I recollect that you could manipulate the file
system on Bay Routers (BLN) via Site manager this did
use tftp but was initiated by snmp...

If you could sniff the snmp from a valid file transfer
then this would provide the snmp method of getting scripts
etc. onto the box. This would be useful in its
own right for zebra hats.



BayRS has it's own script language, which I believe 
can be used to write such a worm. What I'm not sure 
of is if it's possible to send SNMP packets with such 
a script.


If I remember on BLN's the scripting language provided
core commands such as 'show blah blah' where 'show'
was a script on the FS. The more interesting bit was that
these scripts consisted of snmp gets.

q1. Can you do snmp sets?
q2. Can you do it to a remote machine?



The problem would be to execute the script on a 
remote router. I'm not sure if this is possible. 
It's however possible to execute ping from a remote 
router with SNMP (again this can be done with Site 
Manager).


Even if you couldn't execute arbitary commands via snmp
you could trojanise core commands. This could lead to a
manually operated worm or perhaps making the router
appear to logout then capture username/password and store
to a file to be later retrieved by snmp/tftp.

As far as this worm being version specific etc. all
you have to do is use snmp to pull the os/ver information
and execute the relevent worm....

There does seem to be plenty of room for a closer look.

regards,

-- 
N.Catlow () eris dera gov uk |  All opinions  | IT Security, DERA,
                          | are my own and | WWB009, St Andrews Rd,
                          |   not DERA's   | Malvern, Worcs, England.
*I'd love to give my 0.02 worth - Have you got change for a dollar?*

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]