Re: RES: SNMP vulnerability test?

[John Beuke <jbeuke () msn com>]

In-Reply-To: <gu97kpfevo7.fsf () rampart argfrp us uu net>

Everything I have read concerning SNMP vulnerabilities and printers refer 
to the Community Name and the fact that most vendors have no method for 
allowing Administrators to change those strings. Is it possible for an 
attacker to use default community names of printers to gain access to 
other parts of the enterprise? Some of the data I have read state that 
attacking the printer mib using the community string for the printer will 
only allow attackers to joy ride around the print server and printers. 
Then other data state that the printers community string will allow 
attackers to obtain the http passwords and other network access password. 
99% of those devices listed were just HP printers and did not state that 
these printers had the ability to network scan, scan to email, or scan to 
desktop. This bring another caviot into the mix in that these systems use 
http, smtp and other ports. Has anyone seen, heard or have any data on 
vulnerabilities with these systems?

John Beuke



> > > > > > "mbl" =3D=3D Marcelo Barbosa Lima <mblima () opencs com br> writes:
>
> mbl>   These multi vendor vulnerabilities found and advertised in CERT
> mbl> scare me. Do you think that it is possible that someone (in black =
> hat
> mbl> comunity) could to create a powerful worm exploring them? I think =
> that
> mbl> it is possible. Several network=B4s elements (routers, swiches...)=
> and
> mbl> operating systems could be compromised in the Internet quickly, in=
> stead
> mbl> of only HTTP services like in Code Red. What do you think it?
>
> You will see a worm.  However, the odds of routers/switches/printers
> ever being compromised is low.  It's hard to develop overflow sploits
> for devices for which you have neither debuggers nor source code.
> They'll crash, but nobody will root them.
>
> This will be an interesting worm.  These SNMP vulnerabilities can be
> used either as an infection vector, or as an attack.  If they're used
> as the infection vector, it will be most interesting.  Devices tend to
> die with the same packets from the toolkit.  This means that your
> packet that will root a RedHat box running on Intel will crash a
> Cisco, or a Sun, perhaps.  Random poking with this exploit will net
> more downtime than shells, and will not be very productive.  So to use
> it as an infection vector, careful network mapping will be required.
>
> It'll also appear as an attack from the worm.  This is more likely to
> be truly terrifying.  Single packet DoS, spoofed source.
>
> I'd worry more about targeted attacks.  Many boxes are vulnerable, and
> attackers have already mapped out most large networks.  Either a wide
> spread DoS using the worm and SNMP as the attack, or small targeted
> attacks against critical systems.  One you'll see in lights, the
> other, you'll never know about.  Both will keep you up late at night.
>
> ericb
> --=20
> Eric Brandwine     |  When I was a kid and Mom asked me to clean my roo=
> m, I
> UUNetwork Security |  didn't really clean it, I just 'formatted' it.
> ericb () uu net       |
> +1 703 886 6038    |      - Jay Heiser
> Key fingerprint =3D 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com