Vulnerability Development mailing list archives

Re: Router worm exploiting poor SNMP security.

From: Dragos Ruiu <dr () KYX NET>
Date: Wed, 13 Dec 2000 10:07:05 -0800

This would only be possible if there was a method of
executing programmatic instructions via SNMP MIBs.
There have been related vulnerabilities (like manipulating
processes in Solaris via SNMP), but I would assume
this is rare.  Most SNMP vulnerabilities are of the
information leakage variety.

And writing router worms faces difficulties with the many
versions of routers out these... even if you were to
stick to relatively garden-variety IOS you would have
to deal with many model and installation specific
architecture differences. (I did some feasibility
studies on this a while back...   :-)

cheers,
--dr

On Tue, 12 Dec 2000, Lars NygÃ¥rd wrote:

Is it possible to write a worm for routers that
spreading via SNMP.?  I'm guessing this is way to
easy to do. This is based on my knowledge of Nortel
routers, and low security awareness among people
when it comes to routers:
I will utilize the following weaknesses.
1. Nortel/Bay routers use by default SNMP
community string "public" as read/write for everyone.
2. Nearby routers are often included in access lists
3. SNMP is not a secure protocol.

Let's say I write a little program, or batch script that
starts by taking advantage of this.
- This little script takes a look at which snmp
communities are stored in the router MIB and write
this to a file.
- Next step is to look for other routers nearby by
looking at my routing table, ospf neighbours etc.
- Then my script checks to see if any of the
communities it found, are read/write on any nearby
routers by sending a SNMP packet.
- If a read/write community is found. It uploads the list
of known communities and itself to the nearby router.
Then execute the script on that router.
-Then my script leave a text file saying "I was here"
and deletes itself. (or potensially delete all files and
schedules a boot at 1. january 2000, but that would
be mean)

Two questions:
Can anyone tell me any reason why this can't work?

I base this upon my knowledge of Nortel routers and
BayRS. Is there any reason why simular procedure
can't work with Cisco?

-- Lars Nygard

--
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net

Current thread:

Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
  - Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
  - Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
    - Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)
  - Message not available
    - Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 17)

(Thread continues...)