Bugtraq mailing list archives

Re: NAI-30: Windows NT SNMP Vulnerabilities

From: dhg () ES2 NET (Dave G.)
Date: Wed, 18 Nov 1998 11:51:11 -0800


When the SNMP Service is installed, the default configuration that is
provided leaves the system vulnerable to attack.  In the default
configuration the SNMP service answers to a single SNMP community
``public'', which is given read-write permissions.  The community
is a name that is used much like an account name or a password to
restrict who can access the SNMP functions and in what capacity.
SNMP provides two levels of access, read-only and read-write.  The
Windows NT SNMP Service prior to Service Pack 4 does not allow
communities to be configured as read-only, so all SNMP communities
have the ability to write.


There is another dangerous 'feature' with regards to SNMP community names
under Windows NT 4.0 (SP3).  If SNMP is enabled, and there are no
community names configured ( under  Settings -> Control Panel -> Network
-> Services -> SNMP Service -> Security -> Accepted Community Names )
any community name will be valid, and will (obviously) have read/write
privileges.  I was unable to find anything that documented this behavior,
and as you can imagine, I was quite suprised when I accidentally
discovered this.

Dave G.

---
Dave Goldsmith
<dhg () es2 net>
Cambridge Technology Partners
Enterprise Security Services
http://www.es2.net

Current thread:

NAI-30: Windows NT SNMP Vulnerabilities Security Research Labs (Nov 17)
- <Possible follow-ups>
- Re: NAI-30: Windows NT SNMP Vulnerabilities David LeBlanc (Nov 18)
- Re: NAI-30: Windows NT SNMP Vulnerabilities Dave G. (Nov 18)
  - Re: NAI-30: Windows NT SNMP Vulnerabilities David LeBlanc (Nov 18)
  - The Son of Cuartango Hole condor () SEKURE ORG (Nov 19)
  - IRIX Vulnerability in ToolTalk RPC Service SGI Security Coordinator (Nov 19)
  - NetBSD Security Advisory 1998-005 matthew green (Nov 19)
- Re: NAI-30: Windows NT SNMP Vulnerabilities Friedrichs, Oliver (Nov 18)