Vulnerability Development mailing list archives
Re: Router worm exploiting poor SNMP security.
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Fri, 15 Dec 2000 11:24:05 +0800
can you execute scripts on routers via snmp writes? I thought this required console access. Also can you upload files via snmp writes? I would be very surprised if you could....
The only way I could think of doing it is placing the payload in the configuration 'script' and reconfiguring via snmp and rebooting forcing a re-configure via tftp or whatever, this may be noticed. I don't know whether this would work i.e. how powerful the configuration 'script' can be.
I've mentioned something like this on this list before ( http://www.securityfocus.com/templates/archive.pike?list=82&mid=139708 ) Some years back I learnt that when you send a configuration to Cisco routers by SNMP you are actually merging the config (not sure if this is still true with current IOS, go check it out yourself ). You are not overwriting the config. So I theorized that the SNMP config was just like doing a config term, only via SNMP. And I confirmed it when I created a "config" that went like this: exit ping A.B.C.D Then the router would ping A.B.C.D. -- The important bits I see for worm writing on Cisco routers are: 1) If you can SNMP write the config, you can execute arbitrary commands. Not a big deal in itself. 2) Writing the config by SNMP is just merging not totally wiping and overwriting an existing config (this may have changed, but the method could still exist). This means you can just change small bits of the config without screwing up the entire router (and likely the network your worm is on). 3) Cisco routers can behave as TFTP servers, and can store multiple images. So worm writing looks possible, not easy but possible. However router admins can easily filter SNMP and TFTP packets so that only certain IPs can do SNMP/TFTP with their routers. So just secure your routers properly and you should have no worm problem. Cheerio, Link.
Current thread:
- Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
- Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
- Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)
- Message not available
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 17)
- Re: Router worm exploiting poor SNMP security. Joe Shaw (Dec 18)
- Message not available
- SNMP community strings Ralph Moonen (Dec 17)