nanog mailing list archives
Re: Maformed SNMP Packet log/trace
From: Richard A Steenbergen <ras () e-gerbil net>
Date: Tue, 26 Feb 2002 19:12:59 -0500
On Tue, Feb 26, 2002 at 06:41:22PM -0500, Sean Donelan wrote:
On 26 Feb 2002, Eric Brandwine wrote:Go to the Oulu University page mentioned in the advisory. Download the 4 .jar files that comprise the toolkit. unzip the jar files. There'll be a testcases/ dir in each of them. Each file in this directory is one of their packets. There are 53,000 of them. Have fun!And to keep things exciting, programmers rarely make mistakes in only one protocol. Turing still holds. It wouldn't be surprising if other packets can do bad things when "this should never happen" happens. Who is checking NTP, OSPF, ISIS, BGP, SSH, DNS, TELNET, TACACS+, etc code paths?
A lot of those protocols have people looking at them on a regular basis, and they still manage to come up with obscure exploits noone else noticed (ex: 23mb of buffer overflows to exploit telnetd). On the other hand, a lot of those protocols (and more specifically their implementations in routers) have probably never seen the light of day, and are so rotten we are all better off keeping them covered up. I'm certain that more then enough people here can attest to the fact that it doesn't take much in the way of "unexpected packets" before certain vendors BGP implementations start wigging. Of course, it is up to the user to decide if they would rather have a product with 50,000 holes that script kiddies don't know about, or a product with 100 holes that the do. Most days security through obscurity works just fine, but the days that it doesn't really suck. But SNMP is special. It has the distinct honor of being one of those protocols which has daylight all around it and yet somehow manages to stay under a rock. I attribute this to what I like to call the "Upchuck Code Barrier", namely that very few people have the intestinal fortitude to look at the existing implementations without hurling their lunch. This severely limits the number of exploits which are written. :) </rant> -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Current thread:
- Maformed SNMP Packet log/trace Brennan_Murphy (Feb 26)
- Re: Maformed SNMP Packet log/trace Eric Brandwine (Feb 26)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Richard A Steenbergen (Feb 26)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Eric Brandwine (Feb 26)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Paul Vixie (Feb 26)
- Re: Maformed SNMP Packet log/trace Richard A Steenbergen (Feb 27)
- Re: Maformed SNMP Packet log/trace Sean Donelan (Feb 26)
- Re: Maformed SNMP Packet log/trace Eric Brandwine (Feb 26)
- Re: Satellite latency Jeff Mcadams (Feb 26)
- Re: Satellite latency Roy (Feb 26)
- Re: Satellite latency michael (Feb 26)
- Re: Satellite latency Barb Dijker (Feb 26)