Bugtraq mailing list archives
Re: Microsoft Windows NT & 2000 SNMP Registry Key Modification Vulnerability
From: David LeBlanc <dleblanc () MINDSPRING COM>
Date: Fri, 8 Dec 2000 16:57:52 -0800
There's some omissions, and a couple of corrections that need to be made - At 10:46 PM 12/7/2000 -0800, Elias Levy wrote:
Title: Microsoft Windows NT & 2000 SNMP Registry Key Modification Vulnerability
The SNMP service in Windows NT 4.0 and 2000 enables the remote management of the computer. Loose permissions in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters allow malicious users with access to the registry to read the SNMP community names stored in the ValidCommunities key value. This allows the malicious users to manage the computer via SNMP.
Malicious users also can sniff the network and obtain these same strings. This is one of many reasons that my friend Mike Warfield refers to SNMP as Security Not My Problem. The protocol (at least v1) is inherently insecure. It hardly seems to be worthwhile to go to a lot of trouble trying to secure something that is normally broadcast in the clear all over the network.
The malicious users could also change the community names by modifying the registry key thus denying authorized users access to the machine via SNMP.
Actually, this is incorrect (which also needs to be corrected in the source bulletin). By default, the permissions on this section of the registry resolve to: admins:F server ops:change everyone:R There are slight variations between Win2k and NT 4.0, and depend on the role of the system, but the above is a reasonable summary. So by default, users cannot change these strings. Another point would be what the strings actually get you. Unless the community string allows write access, the users can't manage anything, just gather information. The information which is made available by only a read-only community string would normally be freely available to local users in any case. Furthermore, the summary (but not the original bulletin) also leaves out the important point of remote access to this portion of the registry. Windows 2000 (both Pro and Server) does not allow remote non-admin access to this portion of the registry. NT 4.0 Server behaves the same way. NT 4.0 Workstation depends upon whether one of the last registry patches have been applied. Understanding the remote implications of this issue are important.
Credit: Discovered by Chris Anley from @stake (http://www.atstake.com) and posted
in a
Microsoft Security Bulletin (MS00-095) and (MS00-096) on Dec 6, 2000.
Another reference which should be cited is http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9811&L=NTBUGTRAQ&P=R 2115 In that post, dated 11/17/1998, NAI states: "The SNMP Service parameters are stored in the registry and are readable by all users. A user with an account on the system can read the list of configured community names and use the community name to access the SNMP Service." A further reference is the Internet Security Systems' Internet Scanner help system, and I cite v4.3.2 (I don't recall whether I put that check in earlier versions - they're currently at 6.x): Windows NT SNMP Community Name Windows NT exports a large amount of information through SNMP, including shares, user names, and the status of running services. The only authentication available is by knowing the community name, which is stored in the registry under System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities. If this information is readable by everyone, an intruder could gather information which is normally only available to administrator level users. Set permissions on this key to allow access to administrators and system only. Note that the modification date on that helpfile was Wednesday, July 02, 1997, 1:00:00 PM. To say that Chris discovered this issue is a bit of a stretch when there are at least two publicly available references that substantially predate this announcement. The archives of the ISS original ntsecurity mailing list seem to be lost, but I know I discussed this issue prior to adding it to the Scanner. Given that many other security auditing tools are surely a superset of what the ISS Scanner checked for 3 years ago, I'd bet a check for permissions on this key are in other shipping products as well. I'm glad that the default permissions on these keys have finally been changed to something more appropriate, but the fact of the matter is that the underlying protocol is insecure, and IMNSHO, merely changing permissions on a few registry keys is not going to be much real help if you choose to allow SNMP communities with write access on your network. There are too many alternative ways to obtain the same information. David LeBlanc dleblanc () mindspring com
Current thread:
- Microsoft Windows NT & 2000 SNMP Registry Key Modification Vulnerability Elias Levy (Dec 09)
- Re: Microsoft Windows NT & 2000 SNMP Registry Key Modification Vulnerability David LeBlanc (Dec 11)