Exploiting SNMP?

From: foob@return0.net
Date: 02/14/02


Date: Thu, 14 Feb 2002 18:36:58 +0000 (GMT)
From: <foob@return0.net>
To: VULN-DEV@SECURITYFOCUS.COM


Has anyone tried exploiting the SNMP problems disclosed in the recent CERT
notice, and original investigated by the University of Oulu?

http://www.cert.org/advisories/CA-2002-03.html
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html

Running the supplied java applet against Windows 2000 causes no service
failure, and no noticable impact on the system. Sending the raw packet
data to UDP 161 has the same null impact.

On Solaris (7, sparc), the snmpdx agent either stops responding after
certain requests (the deamon stays active, but the MIB is not browsable
anymore), or the daemon aborts with a Bus Error. This latter case can
only be triggered by one packet (#5922) as far as i can tell. Whats more,
it doesnt always abort - if some snmpdx is healthy, and has been servicing
valid requests this packet has no impact.

If I understand SNMP correctly, the data in this particular packet
specifies a long OID (by setting each section to some maximum value) and
also specifies a format string (%s%x%n) in the value portion. Replacing
the format string with 'abcdef' does not affect the impact - indicating
that the OID is causing the SIGBUS, not the format string.

Yes the stack is corrupted, with data supplied in the OID.
But the SIGBUS is caused by attempting to dereference the a register
containing data from the OID. If this can be bypassed, eventually the
program will jump to our specifiedd location.

The problem (perhaps just my limitied knowledge of SNMP and sparc) is that
the data in the packet cannot be modified greatly - most changes to the
'interesting' parts of the OID do not impact the snmpdx service.

Is anyone else looking at exploiting these issues?

The fact i cant recreate the MS problem is a little worrying - they've
released patches, but from here it didnt even look vulnerable!

If people are interested in / working on this, I can forward some more
information on the solaris problem.

- foob



Relevant Pages

  • [TOOL] Snmpfuzz - SNMPv1 Fuzzer
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... problem when using it is difficulty in determining which particular SNMP ... Also, you can not send a single testcase packet, only the whole ... happened is to run a debugger on the SNMP service problem. ...
    (Securiteam)
  • Re: Exploiting SNMP?
    ... Sending the raw packet ... > also specifies a format string in the value portion. ... > that the OID is causing the SIGBUS, ...
    (Vuln-Dev)
  • Re: WinSNMP API
    ... The wrappers are fine, albeit poorly ... SET the SNMP agent to? ... ClassLibrary1.Class1.SnmpStartup(ref majorVersion, ref minorVersion, ref ... Class1.SMIOID oid = new Class1.SMIOID; ...
    (microsoft.public.win32.programmer.networks)
  • RE: SNMP discovery with SBS
    ... I've actually turned off packet filreing completely ... I do not have any problem performing an SNMP ping of a standard Windows 2003 ... Nor do I have any trouble with a Standard SBS server once ... Right click IP Packet Filters, point to New, and click Filter. ...
    (microsoft.public.windows.server.sbs)
  • Re: How do I get the port on a switch that a PC is connected to.
    ... With SNMP there are two distinct concepts. ... If the switch maintains this information, you are in luck and you can ... the exact OID) or the GETNEXT command (does not require the exact ... The steps to get started with a MIB Walker are: ...
    (comp.protocols.snmp)