Vulnerability Development mailing list archives
Re: Router worm exploiting poor SNMP security.
From: Bill Pennington <billp () boarder org>
Date: Wed, 13 Dec 2000 08:16:27 -0800
I am not much of a coder but getting a piece of code to do what you are talking about on a router might be a little difficult. Executing the code on a PC with an OS is easy, getting the code to execute on a router with some router OS is not. I do not believe that the SNMP agents on most routers provide the functionality your are looking for. The "public" SNMP community string is generally a read only string (at least on Cisco boxen) so you would not be able to use that to write anything to the router. You could make it brute force know SNMP strings but that would set off a few alarms I am sure. Pretty neat idea though. I am hoping that most internet attached routers would not have a read/write string of public, but I am probably wrong. "Lars Nygård" wrote:
Is it possible to write a worm for routers that spreading via SNMP.? I'm guessing this is way to easy to do. This is based on my knowledge of Nortel routers, and low security awareness among people when it comes to routers: I will utilize the following weaknesses. 1. Nortel/Bay routers use by default SNMP community string "public" as read/write for everyone. 2. Nearby routers are often included in access lists 3. SNMP is not a secure protocol. Let's say I write a little program, or batch script that starts by taking advantage of this. - This little script takes a look at which snmp communities are stored in the router MIB and write this to a file. - Next step is to look for other routers nearby by looking at my routing table, ospf neighbours etc. - Then my script checks to see if any of the communities it found, are read/write on any nearby routers by sending a SNMP packet. - If a read/write community is found. It uploads the list of known communities and itself to the nearby router. Then execute the script on that router. -Then my script leave a text file saying "I was here" and deletes itself. (or potensially delete all files and schedules a boot at 1. january 2000, but that would be mean) Two questions: Can anyone tell me any reason why this can't work? I base this upon my knowledge of Nortel routers and BayRS. Is there any reason why simular procedure can't work with Cisco? -- Lars Nygard
-- Bill Pennington - CISSP
Current thread:
- Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
- Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
- Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)
(Thread continues...)