Vulnerability Development mailing list archives
Re: Router worm exploiting poor SNMP security.
From: N Catlow <n.catlow () ERIS DERA GOV UK>
Date: Thu, 14 Dec 2000 18:07:34 +0000
Additional information If you know the SNMP read/write community it should be no problem to upload files to Nortel routers. This is done today with Site Manager. I'm guessing this is done by enabling tftp.
Hmm yes I recollect that you could manipulate the file system on Bay Routers (BLN) via Site manager this did use tftp but was initiated by snmp... If you could sniff the snmp from a valid file transfer then this would provide the snmp method of getting scripts etc. onto the box. This would be useful in its own right for zebra hats.
BayRS has it's own script language, which I believe can be used to write such a worm. What I'm not sure of is if it's possible to send SNMP packets with such a script.
If I remember on BLN's the scripting language provided core commands such as 'show blah blah' where 'show' was a script on the FS. The more interesting bit was that these scripts consisted of snmp gets. q1. Can you do snmp sets? q2. Can you do it to a remote machine?
The problem would be to execute the script on a remote router. I'm not sure if this is possible. It's however possible to execute ping from a remote router with SNMP (again this can be done with Site Manager).
Even if you couldn't execute arbitary commands via snmp you could trojanise core commands. This could lead to a manually operated worm or perhaps making the router appear to logout then capture username/password and store to a file to be later retrieved by snmp/tftp. As far as this worm being version specific etc. all you have to do is use snmp to pull the os/ver information and execute the relevent worm.... There does seem to be plenty of room for a closer look. regards, -- N.Catlow () eris dera gov uk | All opinions | IT Security, DERA, | are my own and | WWB009, St Andrews Rd, | not DERA's | Malvern, Worcs, England. *I'd love to give my 0.02 worth - Have you got change for a dollar?*
Current thread:
- Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
- Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
- Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)
- Message not available
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 17)
- Re: Router worm exploiting poor SNMP security. Joe Shaw (Dec 18)
- Message not available
- SNMP community strings Ralph Moonen (Dec 17)
- Re: Router worm exploiting poor SNMP security. Fyodor (Dec 15)