[NEWS] PROTOS Remote SNMP Attack Tool
From: support@securiteam.comDate: 02/13/02
- Previous message: support@securiteam.com: "[NT] Unchecked Buffer in SNMP Service Could Enable Arbitrary Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 13 Feb 2002 14:01:35 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PROTOS Remote SNMP Attack Tool
------------------------------------------------------------------------
SUMMARY
ISS X-Force has learned of a powerful SNMP (Simple Network Management
Protocol) attack tool that may be circulating in the computer underground.
The PROTOS SNMP stress-testing tool sends thousands of test cases to SNMP
daemons from a remote system to discover programming flaws or exploitable
vulnerabilities. This tool has the immediate ability to crash SNMP daemons
and hardware devices running SNMP. The circulation of this tool may lead
to a widespread use of new exploits to crash or compromise vulnerable
systems. SNMP is ubiquitous as a network management protocol on the
Internet. Nearly every operating system, router, switch, cable or DSL
modem, and firewall is shipped with an SNMP service.
DETAILS
Affected versions:
The PROTOS Project has provided the following list as a sample of vendors
that support SNMPv1 implementations in their products. The following
vendors may or may not be vulnerable to the PROTOS SNMP tool:
3Com, Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco,
Compaq, Computer Associates, D-Link, Dell, Digi, Ericsson, Extreme
networks, F5, Foundry, Fujitsu Siemens, HP, Hitachi, IBM, ICL, Intel,
Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore,
Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel, Novell, SMC,
Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, Windriver,
Xerox, Xylan, Zyxel
CERT has stated that over 100 vendors are vulnerable.
Description:
The University of Oulu of Linnanmaa, Finland launched the PROTOS Project
to develop thorough testing procedures for uncovering programming faults
and potentially exploitable vulnerabilities. The basis of the PROTOS
effort is to develop thousands of test cases and launch them against
implementations of the target protocol to uncover programming weaknesses.
This method is also often referred to as "fuzz testing," or "black box
testing." The PROTOS project was very successful in uncovering weaknesses
and exploitable vulnerabilities in many LDAP and HTTP implementations.
The PROTOS SNMP attack tool was released in a limited fashion, but ISS
X-Force believes that the computer underground is actively using the tool
to assess SNMP weaknesses and to develop new exploits. The PROTOS team has
proven that many implementations of SNMP are vulnerable to numerous flaws
tested by the tool. X-Force testing has verified the claims of the PROTOS
team.
This tool is extremely thorough and is perceived to be the most exhaustive
SNMP testing tool available. It launches various combinations of six main
types of test cases:
- - bit pattern exception
- - BER (Basic Encoding Rules) encoding exception
- - format string exception
- - integer value exception
- - missing symbol exception
- - overflow exception
The effectiveness of the tool is increased by targeting broadcast
addresses. As a result, the reach of the tool can be greatly extended by
simultaneously attacking many devices.
Recommendations:
The PROTOS SNMP attack tool has proven very effective against networks and
devices that are not protected by firewalls or any type of packet filter.
It is well known that SNMP traffic can be dangerous and should be heavily
filtered at the perimeter.
ISS X-Force recommends that all system administrators immediately assess
their exposure to SNMP traffic (ports 161 and 162 TCP/UDP). Individual
users should assess their exposure or contact their cable modem, DSL
modem, or router vendor to inquire about potential issues. X-Force
recommends that home users consider installing perimeter defenses in the
form of a router with filtering capabilities, and personal firewall
software with intrusion detection capabilities.
Cisco users should be aware that it has been reported that some Cisco
routers and switches will not filter packets even if configured to, if
there is an SNMP community string defined with an ACL on it, and an
'snmp-server host' is configured with the same community string. In this
configuration, a packet could be sent to the router or switch that ignores
all ACL's on the device.
ADDITIONAL INFORMATION
The information has been provided by <mailto:xforce@iss.net> X-Force.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Unchecked Buffer in SNMP Service Could Enable Arbitrary Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
