Vulnerability Development mailing list archives

Re: Router worm exploiting poor SNMP security.

From: Bill Pennington <billp () boarder org>
Date: Wed, 13 Dec 2000 08:16:27 -0800

I am not much of a coder but getting a piece of code to do what you are
talking about on a router might be a little difficult. Executing the
code on a PC with an OS is easy, getting the code to execute on a router
with some router OS is not. I do not believe that the SNMP agents on
most routers provide the functionality your are looking for. The
"public" SNMP community string is generally a read only string (at least
on Cisco boxen) so you would not be able to use that to write anything
to the router. You could make it brute force know SNMP strings but that
would set off a few alarms I am sure.

Pretty neat idea though. I am hoping that most internet attached routers
would not have a read/write string of public, but I am probably wrong.

"Lars NygÃ¥rd" wrote:


Is it possible to write a worm for routers that
spreading via SNMP.?  I'm guessing this is way to
easy to do. This is based on my knowledge of Nortel
routers, and low security awareness among people
when it comes to routers:
I will utilize the following weaknesses.
1. Nortel/Bay routers use by default SNMP
community string "public" as read/write for everyone.
2. Nearby routers are often included in access lists
3. SNMP is not a secure protocol.

Let's say I write a little program, or batch script that
starts by taking advantage of this.
- This little script takes a look at which snmp
communities are stored in the router MIB and write
this to a file.
- Next step is to look for other routers nearby by
looking at my routing table, ospf neighbours etc.
- Then my script checks to see if any of the
communities it found, are read/write on any nearby
routers by sending a SNMP packet.
- If a read/write community is found. It uploads the list
of known communities and itself to the nearby router.
Then execute the script on that router.
-Then my script leave a text file saying "I was here"
and deletes itself. (or potensially delete all files and
schedules a boot at 1. january 2000, but that would
be mean)

Two questions:
Can anyone tell me any reason why this can't work?

I base this upon my knowledge of Nortel routers and
BayRS. Is there any reason why simular procedure
can't work with Cisco?

-- Lars Nygard


--


Bill Pennington - CISSP

Current thread:

Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
  - Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
  - Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
    - Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)

(Thread continues...)