[REVS] Achieving Persistent HTML Injection via SNMP on Embedded Devices
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 23 Oct 2008 16:49:11 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Achieving Persistent HTML Injection via SNMP on Embedded Devices
------------------------------------------------------------------------
SUMMARY
A new approach to introducing HTML and/or JavaScript vulnerabilities into
devices has been found, this new approach utilizes SNMP write capabilities
to inject the malicious content into the device, which the device displays
whenever someone access the device.
DETAILS
Introduction:
In our earlier "ZyXEL Gateways Vulnerability Research" paper[1], we
introduced a new technique: SNMP injection a.k.a. persistent HTML
injection via SNMP. Such a technique allowed us to cause a persistent HTML
injection condition on the web management console of several ZyXEL
Prestige router models.
Provided that an attacker has guessed or cracked the write SNMP community
string of a device, he/she would be able to inject malicious code into the
administrative web interface by changing the values of OIDs (SNMP MIB
objects) that are printed on HTML pages.
The purpose behind injecting malicious code into the web console via SNMP
is to fully compromise the device once the page containing the payload is
viewed by the administrator.
When we came up with the SNMP injection technique, we suspected that such
an attack is possible on a large number of embedded devices in use in the
market, as mentioned on some interviews where our research was
featured[2]. Although the SNMP write community string must be guessed or
cracked for this attack to work, it is worth mentioning that some devices
come with SNMP read/write access enabled by default using common community
strings[3] such as 'public', 'private', 'write' and 'cable-docsis'. Some
examples include ZyXEL Prestige router models used in residential and SOHO
networks, Innomedia VoIP gateways[4], some Cisco routers and phone
gateways[5] and other corporate products such as the Proxim Tsunami
devices.
Also, the use of customized but weak SNMP write community strings, and
other weaknesses within the devices SNMP stack implementation should be
taken into account when evaluating the feasibility of this attack.
In order to confirm that this attack affects most SNMP-enabled embedded
devices regardless of model or vendor, we surveyed random embedded devices
that were available in our computer security lab. Overall, we surveyed
network devices from the following vendors:
- Cisco
- Proxim
- 3Com
- ZyXEL
References:
[1] "ZyXEL Gateways Vulnerability Research"
<http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf>
http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf
[2] "SNMP Joins Dark Side in New XSS Attack"
<http://www.darkreading.com/document.asp?doc_id=147014>
http://www.darkreading.com/document.asp?doc_id=147014
[3] "Multiple Vendor SNMP World Writeable Community Vulnerability"
[4] "Digging into SNMP in 2007 An Exercise on Breaking Networks"
<http://www.ernw.de/content/e7/e181/e671/download690/ERNW_026_SNMP_HitB_Dubai_2007_ger.pdf> http://www.ernw.de/content/e7/e181/e671/download690/ERNW_026_SNMP_HitB_Dubai_2007_ger.pdf
[5] "Cisco Security Advisory: DOCSIS Read-Write Community String Enabled
in Non-DOCSIS Platforms"
ADDITIONAL INFORMATION
The information has been provided by <mailto:research@xxxxxxxxxxxxxx>
ProCheckUp Research.
The original article can be found at:
<http://www.procheckup.com/PDFs/SNMP_injection.pdf>
http://www.procheckup.com/PDFs/SNMP_injection.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Opera Stored Cross Site Scripting Vulnerability
- Next by Date: [UNIX] Veritas Storage Foundation Arbitrary File Read Vulnerability
- Previous by thread: [NEWS] Opera Stored Cross Site Scripting Vulnerability
- Next by thread: [UNIX] Veritas Storage Foundation Arbitrary File Read Vulnerability
- Index(es):
Relevant Pages
|
