Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RES: SNMP vulnerability test?

From: Eric Brandwine <ericb () UU NET>
Date: 14 Feb 2002 18:59:52 +0000
"mbl" == Marcelo Barbosa Lima <mblima () opencs com br> writes:


mbl>    These multi vendor vulnerabilities found and advertised in CERT
mbl> scare me. Do you think that it is possible that someone (in black hat
mbl> comunity) could to create a powerful worm exploring them? I think that
mbl> it is possible. Several network´s elements (routers, swiches...) and
mbl> operating systems could be compromised in the Internet quickly, instead
mbl> of only HTTP services like in Code Red. What do you think it?

You will see a worm.  However, the odds of routers/switches/printers
ever being compromised is low.  It's hard to develop overflow sploits
for devices for which you have neither debuggers nor source code.
They'll crash, but nobody will root them.

This will be an interesting worm.  These SNMP vulnerabilities can be
used either as an infection vector, or as an attack.  If they're used
as the infection vector, it will be most interesting.  Devices tend to
die with the same packets from the toolkit.  This means that your
packet that will root a RedHat box running on Intel will crash a
Cisco, or a Sun, perhaps.  Random poking with this exploit will net
more downtime than shells, and will not be very productive.  So to use
it as an infection vector, careful network mapping will be required.

It'll also appear as an attack from the worm.  This is more likely to
be truly terrifying.  Single packet DoS, spoofed source.

I'd worry more about targeted attacks.  Many boxes are vulnerable, and
attackers have already mapped out most large networks.  Either a wide
spread DoS using the worm and SNMP as the attack, or small targeted
attacks against critical systems.  One you'll see in lights, the
other, you'll never know about.  Both will keep you up late at night.

ericb
-- 
Eric Brandwine     |  When I was a kid and Mom asked me to clean my room, I
UUNetwork Security |  didn't really clean it, I just 'formatted' it.
ericb () uu net       |
+1 703 886 6038    |      - Jay Heiser
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: