Vulnerability Development mailing list archives

Re: Router worm exploiting poor SNMP security.

From: Sebastien Barbereau <sebastien.barbereau () FR EASYNET NET>
Date: Thu, 14 Dec 2000 16:53:08 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----Message d'origine-----
De : VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM] from  Mixter
EnvoyÃ© : mercredi 13 dÃ©cembre 2000 10:12
Ã€ : VULN-DEV () SECURITYFOCUS COM
Objet : Re: Router worm exploiting poor SNMP security.


That's certainly an interesting thought... I routinely find
default communities in routers during penetration tests, and
the problem is much more widespread than many people think.

Two questions:
Can anyone tell me any reason why this can't work?

I base this upon my knowledge of Nortel routers and
BayRS. Is there any reason why simular procedure
can't work with Cisco?


Brute forcing snmp with a .c program or shell script is easy,
but if you have different routers, a list of what scripts,
commands or languages will work on which router are necessary.
I know that most Cisco's can run tcl scripts, for example, and how
to replace snmp settings, but that's about it. There were rumours

In fact there is some scripting language called TCL on cisco routers
but it's only used on some voice-router (for example AS5800) and not
wide spread.

of a snmpd exploit that can execute remote commands, but I'm not
sure, are MIB's even supposed to contain executable stuff? If
there's this

Of course you can execute some commands remotely on cisco routers if
you have the write community of the router. This is mostly used to
download configurations to tftp servers or remotely restarts a router
without having to login.
For example: http://www.cisco.com/warp/public/477/21.html
But I don't thing that one may use this to create a virus or trojan.

possibility for routers, does anyone have some comprehensible
information on SNMP implementation on routers, command 
execution, etc.?

I'd suggest you go to www.cisco.com there you'll surely find what you
a looking for concerning SNMP implementations and usage.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOjjexXMEbPkbj2omEQJWXACgmELlgH12y7Mur9oLRgDf+Awdj2QAoOtp
mSmXbjP/UMNprEqgadd8YAU4
=X0lf
-----END PGP SIGNATURE-----

Current thread:

Re: Router worm exploiting poor SNMP security., (continued)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
  - Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
  - Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
    - Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)
  - Message not available
    - Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 17)
    - Re: Router worm exploiting poor SNMP security. Joe Shaw (Dec 18)
  - Message not available
    - SNMP community strings Ralph Moonen (Dec 17)
- Re: Router worm exploiting poor SNMP security. Sebastien Barbereau (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Fyodor (Dec 15)