[UNIX] Net-SNMP DoS Vulnerability

From: support@securiteam.com
Date: 10/02/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  2 Oct 2002 23:35:44 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Net-SNMP DoS Vulnerability
------------------------------------------------------------------------

SUMMARY

The <http://net-snmp.sourceforge.net> Net-SNMP package, formerly known as
ucd-snmp, is a suite of tools relating to the Simple Network Management
Protocol (SNMP). It includes an extensible agent, an SNMP daemon, tools to
request or set information from SNMP agents, tools to generate and handle
SNMP traps, a version of the UNIX 'netstat' command using SNMP, and a
graphical Perl/Tk/SNMP based mib browser. The SNMP daemon included in the
Net-SNMP package can be crashed if it attempts to process a specially
crafted packet. Exploitation requires foreknowledge of a known SNMP
community string (either read or read/write). This issue potentially
affects any Net-SNMP installation in which the "public" read-only
community string has not been changed.

DETAILS

Vulnerable systems:
 * Net-SNMP versions 5.0.1, 5.0.3 and 5.0.4.pre2

Analysis:
By sending the SNMP daemon a packet without having first setup a session,
a vulnerability in the following segment of code from agent/snmp_agent.c,
handle_var_requests(), line 1,876, can be exploited:

    for (i = 0; i <= asp->treecache_num; i++) {
        reginfo = asp->treecache[i].subtree->reginfo;
        status = netsnmp_call_handlers(reginfo, asp->reqinfo,
                     asp->treecache[i].requests_begin);

Despite the fact that "asp->treecache_num" is NULL, the "<=" comparison in
the for() loop allows entry into the block. At this point, the SNMP daemon
attempts to de-reference a NULL pointer leading to a SIGSEGV. Since the
SNMP daemon must parse the attack packet, an attacker must pass the
appropriate ACL (public/read is sufficient).

Workaround and Receovery:
Restart the affected SNMP daemon to restore normal functionality.

Vendor fix and Response:
Net-SNMP 5.0.5 has been released which fixes the described vulnerability.
It is available at
<http://sourceforge.net/project/showfiles.php?group_id=12694>
http://sourceforge.net/project/showfiles.php?group_id=12694.

Disclosure timeline:
9/01/2002 Issue disclosed to iDEFENSE
9/24/2002 Maintainer of Net-SNMP notified at
<http://net-snmp.sourceforge.net/> http://net-snmp.sourceforge.net/
9/24/2002 iDEFENSE clients notified
9/27/2002 Response received from Wes Hardaker,
hardaker@users.sourceforge.net
10/1/2002 Vendor fix made available
10/2/2002 Issue disclosed to public

ADDITIONAL INFORMATION

The information has been provided to iDEFENSE by
<mailto:andrewg@d2.net.au> Andrew Griffiths.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.