Interpretting SNMP events triggered in BlackICE
From: Robert Graham (robert_david_graham@yahoo.com)Date: 02/12/02
- Previous message: mmcgillis: "Snare..."
- Next in thread: Seymore Bar: "Re: Interpretting SNMP events triggered in BlackICE"
- Reply: Seymore Bar: "Re: Interpretting SNMP events triggered in BlackICE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Feb 2002 12:49:39 -0800 (PST) From: Robert Graham <robert_david_graham@yahoo.com> To: focus-ids@securityfocus.com
The BlackICE IDS contains a full SNMP protocol-decode engine. It is not
vulnerable to the recently announced SNMP vulnerabilities. Indeed, it was
designed precisely to catch such vulnerabilities. I have run the published
PROTOS test-exploit against BlackICE and found the following events trigger.
Attached is my interpretation of these triggered events.
* SNMP Port Probe
Simply triggers on a failed attempt to access UDP port 162. Everyone is going
to see a sharp rise as hackers start scanning for SNMP. If you see this against
a machine that is supposed to support SNMP, then you have a problem. It means
that the victim was crashed by one of the vulnerabilities and has stopped
responding to SNMP. For example, let's say you see an "SNMP community long"
from an attacker, then subsequent "SNMP Port Probes" from your management
station. It means the hacker exploited the vulnerability, and nobody else can
talk to the SNMP agent.
* SNMP community long
Triggers on buffer-overflows within the community-string field. It will also
probably trigger on any format-string attack within the community-string field,
or extensive number of "@@@@" within the community-string.
* SNMP sysName overflow
Triggers on buffer overflows within the sysName field. This example exploit
chooses sysName as its default value. Some real-world exploits for these
vulnerabilities will use sysName because it may be the only string available to
exploit, other's will overflow other values (and won't trigger this signature).
* SNMP Crack
Triggers on repeated failed access with various community strings. This is an
artifact of the sample exploit because it sometimes varies the
community-string, but if an attacker has a single exploit for the
community-string field, it won't trigger. In real-world attacks, this still may
trigger because attackers may need to search for valid community strings.
* SNMP Corrupt
Triggers on some forms of corrupt SNMP packets. Over the years, we have
"weakened" this signature because many products produce corrupt SNMP packets
anyway, producing "false-positives". Because of this, only 0.2% of the packets
in the test exploit trigger this alert.
The following events did not trigger on the sample exploit, but may be
important in real-world exploits:
* SNMP Backdoor
Triggers on a one of a list of about 50 community-strings that are well-known
"defaults" or "backdoors" within SNMP implementations. In relation to these
vulnerabilities, the attacker may be attempting to guess one of these
community-strings in order get a valid password that would then allow a
buffer-overflow/format-string attack.
* SNMP SET sysContact
Triggers on an attempt to write to the "sysContact" field. In relation to these
vulnerabilities, may indicate an attempted buffer-overflow/format-string attack
against the sysContact field. There is also an SNMP scanner out there that
triggers this.
* SNMP discovery broadcast
Triggers on SNMP broadcasts, indicating possible hostile scans looking for SNMP
devices.
I tested the "TRAP" variant of the sample exploit. I saw the same sorts of
"SNMP community long", "SNMP Corrupt", and "SNMP Crack" exploits. However, it
generates a "UDP Port Probe" for port 162 because there is no specific
signature for this.
Also, if you run the sample exploit very fast, you might get triggers
complaining about the flood of ICMP destination unreachables and the excessive
fragmentation. These are unlikely to trigger in any real-world exploitation of
these SNMP vulnerabilities.
Robert Graham
Lead Architect, Internet Security Systems
PS: We'll be updating the signatures to better differentiate among the attacks;
e.g. there are three separate attacks in the exploit script that trigger "SNMP
community long" that we'll want to split out. We will probably have to
strengthen the "SNMP Corrupt" detection and suffer with the slight increase in
false-positives from normal corrupted traffic from bugging implementations.
__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com
- Previous message: mmcgillis: "Snare..."
- Next in thread: Seymore Bar: "Re: Interpretting SNMP events triggered in BlackICE"
- Reply: Seymore Bar: "Re: Interpretting SNMP events triggered in BlackICE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
