Vulnerability Development mailing list archives

Re: Router worm exploiting poor SNMP security.

From: N Catlow <n.catlow () ERIS DERA GOV UK>
Date: Thu, 14 Dec 2000 18:07:34 +0000

Additional information
If you know the SNMP read/write community it should 
be no problem to upload files to Nortel routers. This is 
done today with Site Manager. I'm guessing this is 
done by enabling tftp.


Hmm yes I recollect that you could manipulate the file
system on Bay Routers (BLN) via Site manager this did
use tftp but was initiated by snmp...

If you could sniff the snmp from a valid file transfer
then this would provide the snmp method of getting scripts
etc. onto the box. This would be useful in its
own right for zebra hats.


BayRS has it's own script language, which I believe 
can be used to write such a worm. What I'm not sure 
of is if it's possible to send SNMP packets with such 
a script.


If I remember on BLN's the scripting language provided
core commands such as 'show blah blah' where 'show'
was a script on the FS. The more interesting bit was that
these scripts consisted of snmp gets.

q1. Can you do snmp sets?
q2. Can you do it to a remote machine?


The problem would be to execute the script on a 
remote router. I'm not sure if this is possible. 
It's however possible to execute ping from a remote 
router with SNMP (again this can be done with Site 
Manager).


Even if you couldn't execute arbitary commands via snmp
you could trojanise core commands. This could lead to a
manually operated worm or perhaps making the router
appear to logout then capture username/password and store
to a file to be later retrieved by snmp/tftp.

As far as this worm being version specific etc. all
you have to do is use snmp to pull the os/ver information
and execute the relevent worm....

There does seem to be plenty of room for a closer look.

regards,

-- 
N.Catlow () eris dera gov uk |  All opinions  | IT Security, DERA,
                          | are my own and | WWB009, St Andrews Rd,
                          |   not DERA's   | Malvern, Worcs, England.
*I'd love to give my 0.02 worth - Have you got change for a dollar?*

Current thread:

Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
  - Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
  - Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
    - Re: Router worm exploiting poor SNMP security. Charles C. Lindsay (Dec 16)
  - Message not available
    - Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 17)
    - Re: Router worm exploiting poor SNMP security. Joe Shaw (Dec 18)
  - Message not available
    - SNMP community strings Ralph Moonen (Dec 17)
- Re: Router worm exploiting poor SNMP security. Sebastien Barbereau (Dec 15)
  - Re: Router worm exploiting poor SNMP security. Fyodor (Dec 15)