Vulnerability Development mailing list archives
Re: Router worm exploiting poor SNMP security.
From: Dragos Ruiu <dr () KYX NET>
Date: Wed, 13 Dec 2000 10:07:05 -0800
This would only be possible if there was a method of executing programmatic instructions via SNMP MIBs. There have been related vulnerabilities (like manipulating processes in Solaris via SNMP), but I would assume this is rare. Most SNMP vulnerabilities are of the information leakage variety. And writing router worms faces difficulties with the many versions of routers out these... even if you were to stick to relatively garden-variety IOS you would have to deal with many model and installation specific architecture differences. (I did some feasibility studies on this a while back... :-) cheers, --dr On Tue, 12 Dec 2000, Lars Nygård wrote:
Is it possible to write a worm for routers that spreading via SNMP.? I'm guessing this is way to easy to do. This is based on my knowledge of Nortel routers, and low security awareness among people when it comes to routers: I will utilize the following weaknesses. 1. Nortel/Bay routers use by default SNMP community string "public" as read/write for everyone. 2. Nearby routers are often included in access lists 3. SNMP is not a secure protocol. Let's say I write a little program, or batch script that starts by taking advantage of this. - This little script takes a look at which snmp communities are stored in the router MIB and write this to a file. - Next step is to look for other routers nearby by looking at my routing table, ospf neighbours etc. - Then my script checks to see if any of the communities it found, are read/write on any nearby routers by sending a SNMP packet. - If a read/write community is found. It uploads the list of known communities and itself to the nearby router. Then execute the script on that router. -Then my script leave a text file saying "I was here" and deletes itself. (or potensially delete all files and schedules a boot at 1. january 2000, but that would be mean) Two questions: Can anyone tell me any reason why this can't work? I base this upon my knowledge of Nortel routers and BayRS. Is there any reason why simular procedure can't work with Cisco? -- Lars Nygard
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net
Current thread:
- Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
- Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
- Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)
- Message not available
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 17)