Security Incidents mailing list archives
Re: RES: SNMP vulnerability test?
From: Eric Brandwine <ericb () UU NET>
Date: 14 Feb 2002 18:59:52 +0000
"mbl" == Marcelo Barbosa Lima <mblima () opencs com br> writes:
mbl> These multi vendor vulnerabilities found and advertised in CERT mbl> scare me. Do you think that it is possible that someone (in black hat mbl> comunity) could to create a powerful worm exploring them? I think that mbl> it is possible. Several network´s elements (routers, swiches...) and mbl> operating systems could be compromised in the Internet quickly, instead mbl> of only HTTP services like in Code Red. What do you think it? You will see a worm. However, the odds of routers/switches/printers ever being compromised is low. It's hard to develop overflow sploits for devices for which you have neither debuggers nor source code. They'll crash, but nobody will root them. This will be an interesting worm. These SNMP vulnerabilities can be used either as an infection vector, or as an attack. If they're used as the infection vector, it will be most interesting. Devices tend to die with the same packets from the toolkit. This means that your packet that will root a RedHat box running on Intel will crash a Cisco, or a Sun, perhaps. Random poking with this exploit will net more downtime than shells, and will not be very productive. So to use it as an infection vector, careful network mapping will be required. It'll also appear as an attack from the worm. This is more likely to be truly terrifying. Single packet DoS, spoofed source. I'd worry more about targeted attacks. Many boxes are vulnerable, and attackers have already mapped out most large networks. Either a wide spread DoS using the worm and SNMP as the attack, or small targeted attacks against critical systems. One you'll see in lights, the other, you'll never know about. Both will keep you up late at night. ericb -- Eric Brandwine | When I was a kid and Mom asked me to clean my room, I UUNetwork Security | didn't really clean it, I just 'formatted' it. ericb () uu net | +1 703 886 6038 | - Jay Heiser Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RES: SNMP vulnerability test? Marcelo Barbosa Lima (Feb 14)
- Re: RES: SNMP vulnerability test? Eric Brandwine (Feb 14)
- Re: SNMP vulnerability test? Jean-Luc (Feb 14)