Re: ISS Security Advisory: Hidden community string in SNMP

[sugarat () THUNDERHOLD SUGARAT NET (sugarat)]

> so I went ahead and dug into the agents with a binary editor and found
> the following passwords:
>
> Solaris: all private
> HP: snmpd
>
> These passwords are NOT stored in the snmp.conf, and as far as I can tell from
> testing, cannot be disabled.  I have not tested against the patched versions
> of the Sun binaries - can someone try this community string on the new agents?

I have tried these on a Solaris 2.6 system whose snmpd binary has been
replaced with the binary from HP Openview Network Node Manager B.05.01.
The Solaris install was patched to current in August, and the HP-NNM has
consolidated patch PSOV_02091  installed, and patches PSOV_02131 & PSOV_02134.
I don't recal from the release notes what these patches patched specifically,
but as they were installed on Sep 28, 1998, I assume them to be previous to
this thread.

Using snmpd as the community string did return the results of snmpwalk from
the localhost, using HP's snmpwalk binary.  Using the snmpd community from a
remote host did not return any output.  When using snmpget from a remote host,
errors were returned stating that the mib variables being gotten did not exist.
variables like system.sysObjectId.0 and system.sysUptime.0.

Using the snmpd.conf configured communities retrieved all the data without a
problem.  This was tested on the only two Solaris machines that I have access
to, both with HP's snmpd binary, both have the same level of vulnerability.
(ie, using the snmpd comm, data was only retrievable from the localhost)

More informations as it becomes available.

Thanks,

Tim

--
Timothy Kennedy                 |       Erol's Internet Service
Network Administrator           |       1-703-321-8000 ext. 2224
sugarat () erols com               |       http://www.erols.com