FW: ISS Alert: PROTOS Remote SNMP Attack Tool

From: Roman Iwasjuk (RIwasjuk@BUDUCHNIST.COM)
Date: 02/12/02


Date:         Tue, 12 Feb 2002 15:50:26 -0500
From: Roman Iwasjuk <RIwasjuk@BUDUCHNIST.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

While this is not necessarily an nt bug, it's still an important issue to be
dealt with

-----Original Message-----
From: X-Force [mailto:xforce@iss.net]
Sent: Tuesday, February 12, 2002 12:58 PM
To: issforum@iss.net
Subject: ISS Alert: PROTOS Remote SNMP Attack Tool

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomo@iss.net Contact issforum-owner@iss.net for help with any
problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
February 12, 2002

PROTOS Remote SNMP Attack Tool

Synopsis:

ISS X-Force has learned of a powerful SNMP (Simple Network Management
Protocol) attack tool that may be circulating in the computer
underground. The PROTOS SNMP stress-testing tool sends thousands of test
cases to SNMP daemons from a remote system to discover programming flaws
or exploitable vulnerabilities. This tool has the immediate ability to
crash SNMP daemons and hardware devices running SNMP. The circulation of
this tool may lead to a the widespread use of new exploits to crash or
compromise vulnerable systems. SNMP is ubiquitous as a network
management protocol on the Internet. Nearly every operating system,
router, switch, cable or DSL modem, and firewall is shipped with an SNMP
service.

Affected Versions:

The PROTOS Project has provided the following list as a sample of
vendors that support SNMPv1 implementations in their products. The
following vendors may or may not be vulnerable to the PROTOS SNMP tool:

3Com, Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco,
Compaq, Computer Associates, D-Link, Dell, Digi, Ericsson, Extreme
networks, F5, Foundry, Fujitsu Siemens, HP, Hitachi, IBM, ICL, Intel,
Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore,
Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel, Novell, SMC,
Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, Windriver,
Xerox, Xylan, Zyxel

CERT has stated that over 100 vendors are vulnerable.

Description:

The University of Oulu of Linnanmaa, Finland launched the PROTOS Project
to develop thorough testing procedures for uncovering programming faults
and potentially exploitable vulnerabilities. The basis of the PROTOS
effort is to develop thousands of test cases and launch them against
implementations of the target protocol to uncover programming
weaknesses. This method is also often referred to as "fuzz testing," or
"black box testing." The PROTOS project was very successful in
uncovering weaknesses and exploitable vulnerabilities in many LDAP and
HTTP implementations.

The PROTOS SNMP attack tool was released in a limited fashion, but ISS
X-Force believes that the computer underground is actively using the
tool to assess SNMP weaknesses and to develop new exploits. The PROTOS
team has proven that many implementations of SNMP are vulnerable to
numerous flaws tested by the tool. X-Force testing has verified the
claims of the PROTOS team.

This tool is extremely thorough and is perceived to be the most
exhaustive SNMP testing tool available. It launches various combinations
of six main types of test cases:

- - bit pattern exception
- - BER (Basic Encoding Rules) encoding exception
- - format string exception
- - integer value exception
- - missing symbol exception
- - overflow exception

The effectiveness of the tool is increased by targeting broadcast
addresses. As a result, the reach of the tool can be greatly extended by
simultaneously attacking many devices.

Recommendations:

The PROTOS SNMP attack tool has proven very effective against networks
and devices that are not protected by firewalls or any type of packet
filter. It is well known that SNMP traffic can be dangerous and should
be heavily filtered at the perimeter.

ISS X-Force recommends that all system administrators immediately assess
their exposure to SNMP traffic (ports 161 and 162 tcp/udp). Individual
users should assess their exposure or contact their cable modem, DSL
modem, or router vendor to inquire about potential issues. X-Force
recommends that home users consider installing perimeter defenses in the
form of a router with filtering capabilities, and personal firewall
software with intrusion detection capabilities.

Cisco users should be aware that it has been reported that some Cisco
routers and switches will not filter packets even if configured to, if
there is an SNMP community string defined with an ACL on it, and an
'snmp-server host' is configured with the same community string. In this
configuration, a packet could be sent to the router or switch that
ignores all ACL's on the device.

An Internet Scanner FlexCheck has been developed to detect all
potentially vulnerable SNMPv1 networked devices. Additional assessment
support will be added in an upcoming Internet Scanner X-Press Update.
The FlexCheck is available now at:
https://www.iss.net/cgi-bin/download/customer/download_product.cgi

RealSecure Network Sensor may trigger several different signatures in
response to an SNMP attack using the PROTOS SNMP attack tool. RealSecure
administrators should closely examine the following events if they are
detected by RealSecure:

- - SNMP_Activity
- - SNMP_Set
- - SNMP_Community

An X-Press Update for RealSecure Network Sensor will be released as soon
as possible that includes detection support for the various attacks used
in PROTOS SNMP attack tool. In an effort to provide the X-Press Update
to customers as quickly as possible, XPUs for different versions of
Network Sensor will be released as they are completed. Detection
support will also be added in a future update for BlackICE products.

RealSecure Network Sensor administrators can configure connection events
to detect SNMP traffic on the network, including both normal SNMP
traffic and attacks against SNMP. Use the instructions below to create
the following four connection events and apply them to your policy:

- - SNMP over TCP (a connection event that will trigger anytime traffic is
destined to TCP port 161)
- - SNMP over UDP (a connection event that will trigger anytime traffic is
destined to UDP port 161)
- - SNMP Traps over TCP (a connection event that will trigger anytime
traffic is destined to TCP port 162)
- - SNMP Traps over UDP (a connection event that will trigger anytime
traffic is destined to UDP port 162)

To add new connection events:
1. Choose the policy that you want to use, and then click Customize.
2. Select the Connection Events tab.
3. In the right pane, click Add.

To create a Connection Event for SNMP over TCP:
1. Type in a name of the event, such as SNMP_TCP.
2. In the Response field for the event, select the responses you want
   to use.
3. In the Protocol field, select TCP.
4. In the Src Port/Type field, leave the default value of Any
   selected.
5. In the Dest Port/Type field, select the entry for SNMP (port 161).
6. Click OK.

To create a Connection Event for SNMP over UDP:
1. Type in a name of the event, such as SNMP_UDP.
2. In the Response field for the event, select the responses you want
   to use.
3. In the Protocol field, select UDP.
4. In the Src Port/Type field, leave the default value of Any
   selected.
5. In the Dest Port/Type field, select the entry for SNMP (port 161).
6. Click OK.

To create a Connection Event for SNMP Traps over TCP:
1. Type in a name of the event, such as SNMPTRAP_TCP.
2. In the Response field for the event, select the responses you want
   to use.
3. In the Protocol field, select TCP.
4. In the Src Port/Type field, leave the default value of Any
   selected.
5. In the Dest Port/Type field, select the entry for SNMPTRAP (port
   162).
6. Click OK.

To create a Connection Event for SNMP Traps over UDP:
1. Type in a name of the event, such as SNMPTRAP_UDP.
2. In the Response field for the event, select the responses you want
   to use.
3. In the Protocol field, select UDP.
4. In the Src Port/Type field, leave the default value of Any
   selected.
5. In the Dest Port/Type field, select the entry for SNMPTRAP (port
   162).
6. Click OK.

To enable the new connection events:
1. Save the changes, and then close the window.
2. Click 'Apply to Sensor' or 'Apply to Engine', depending on the
version of RealSecure you are using.

BlackICE products may trigger several different signatures in response
to an SNMP attack using the PROTOS SNMP attack tool. BlackICE users and
administrators should closely examine the following events if they are
detected by BlackICE:

- - SNMP community long
- - SNMP sysName overflow
- - SNMP Crack
- - SNMP Port Probe
- - SNMP Corrupt
- - SNMP Backdoor
- - SNMP SET sysContact
- - SNMP discovery broadcast
- - UDP Port Probe

Detection support will be added in a future update for BlackICE
products.

Additional Information:

ISS X-Force Database,
http://www.iss.net/security_center/static/8115.php

This alert is available at:
http://www.iss.net/security_center/alerts/advise110.php
[Note: It may take up to 24 hours from the original posting of this
alert for it to appear on the Web site.]

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East. For more information, visit the Internet Security
Systems Web site at <www.iss.net> or call 888-901-7477.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please e-
mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server as well as at: http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBPGlVpDRfJiV99eG9AQEnEwP/Tn7ldVQO856BpG4y7PD88JY5MqeSJg/9
GlrHqHCdYt2+4H2TT/7hR6dDkrBSbZ5xIVBhBirqvlHkKWKdiEIKuiP+7sYVjxNL
wDmIhH3jYA0/2Tve14yGswNS+H1yeWrBD8FIt+rklWXxKdYOwfpBWDprPWeMBhQy
dKCOy4HViF0=
=t5Yf
-----END PGP SIGNATURE-----

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



Relevant Pages

  • [NEWS] PROTOS Remote SNMP Attack Tool
    ... The PROTOS SNMP stress-testing tool sends thousands of test cases to SNMP ... and potentially exploitable vulnerabilities. ... - - BER encoding exception ...
    (Securiteam)
  • IDS signatures for PROTOS SNMP tests
    ... Cisco Secure Intrusion Detection System: Specific signatures ... are available to detect the PROTOS tool suite, ... Enterasys Dragon: 5 new rules created and submitted to database: ... to the SNMP bugs. ...
    (Incidents)
  • IDS signatures for PROTOS SNMP tests
    ... Cisco Secure Intrusion Detection System: Specific signatures ... are available to detect the PROTOS tool suite, ... Enterasys Dragon: 5 new rules created and submitted to database: ... to the SNMP bugs. ...
    (Focus-IDS)