Vulnerability Development mailing list archives
Router worm exploiting poor SNMP security.
From: Lars Nygård <lars () SNART COM>
Date: Tue, 12 Dec 2000 23:58:23 -0000
Is it possible to write a worm for routers that spreading via SNMP.? I'm guessing this is way to easy to do. This is based on my knowledge of Nortel routers, and low security awareness among people when it comes to routers: I will utilize the following weaknesses. 1. Nortel/Bay routers use by default SNMP community string "public" as read/write for everyone. 2. Nearby routers are often included in access lists 3. SNMP is not a secure protocol. Let's say I write a little program, or batch script that starts by taking advantage of this. - This little script takes a look at which snmp communities are stored in the router MIB and write this to a file. - Next step is to look for other routers nearby by looking at my routing table, ospf neighbours etc. - Then my script checks to see if any of the communities it found, are read/write on any nearby routers by sending a SNMP packet. - If a read/write community is found. It uploads the list of known communities and itself to the nearby router. Then execute the script on that router. -Then my script leave a text file saying "I was here" and deletes itself. (or potensially delete all files and schedules a boot at 1. january 2000, but that would be mean) Two questions: Can anyone tell me any reason why this can't work? I base this upon my knowledge of Nortel routers and BayRS. Is there any reason why simular procedure can't work with Cisco? -- Lars Nygard
Current thread:
- Router worm exploiting poor SNMP security. Lars Nygård (Dec 13)
- Re: Router worm exploiting poor SNMP security. J Edgar Hoover (Dec 15)
- Re: Router worm exploiting poor SNMP security. Bill Pennington (Dec 15)
- Re: Router worm exploiting poor SNMP security. Dragos Ruiu (Dec 15)
- Re: Router worm exploiting poor SNMP security. nsc (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lincoln Yeoh (Dec 15)
- Re: Router worm exploiting poor SNMP security. Ralph Moonen (Dec 15)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. M ixter (Dec 15)
- Re: Router worm exploiting poor SNMP security. Jose Nazario (Dec 15)
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Dec 15)
- Re: Router worm exploiting poor SNMP security. N Catlow (Dec 15)
(Thread continues...)