Vulnerability Development mailing list archives
Re: Router worm exploiting poor SNMP security.
From: Lars Nygård <lars () SNART COM>
Date: Tue, 9 Jan 2001 14:46:17 -0000
Additional information If you know the SNMP read/write community it
should
be no problem to upload files to Nortel routers.
This is
done today with Site Manager. I'm guessing this
is
done by enabling tftp.The way Site Manager operates in uploading files is
by using tftp. Thus
unless you have tftp enabled on the router, you
would not be able to upload Enable tftp with SNMP. No problem.
files.BayRS has it's own script language, which I
believe
can be used to write such a worm. What I'm not
sure
of is if it's possible to send SNMP packets with
such
a script.True, BayRS does have a scripting language. But
these scripts cannot be
executed without a "TI" session running - in other
words, either a terminal
connected to the console port of the router or a CLI-
based 'telnet' session.
The problem would be to execute the script on a remote router. I'm not sure if this is possible.It's not, unless you have telnet/physical access to
the router - hence
pointless.It's however possible to execute ping from a
remote
router with SNMP (again this can be done with
Site
Manager). I'm guessing this might makes it possible to find
an
exploit. Perhaps by modifying the MIB entry wfIcmp.wfIcmpExecute.1. Only guessing here.
Sniffed a ping session from SM. The full ping command (ping -r4 -p xxx.xxx.xxx.xxx) were show in clear text in the snmp packet to the router. The router responded with the output from the ping in a smp packet. What about making your packet with some other command than ping. Will that work? Will the command be executed in a TI shell on the router? I'd like to try, but I don't got the tools, knowledge or time to experiment with this. Is it possible to write a nortel script to send such modified packets?
If you want to start "pinging" everyone, I suppose
so....I don't think
you've really got a means to exploit any of
these "issues". Any network
manager worth his salt will change the default
community setup on the router If the suggested exploit above works, once the worm has entered one router, it can read every community name on that router and go on to the next. Administrators are lazy, and most of them define the same community through an entire network.
anyway (those who don't are inviting trouble). On
top of which, as others
have already pointed out, the task of producing
this "worm" would be further
complicated by the wide variety of router
manufacturers, hardware, software
revisions (which also affect the MIB assignments)
etc. etc. I cannot see
how a worm could be written that would be generic
enough to infect all of
the platforms it would likely encounter.
To make such a worm jump from e.g. Nortel to Cisco seems more unlikely to be done.
In short, I can see many reasons why this
WOULDN'T work, and few reasons why
it would. I think all you've really hit upon here is
what many network
managers etc. already know - SNMP is inherently
insecure. But I'll give you
8/10 for original thought.... Regards, Mike
___________________________________________ ________________
Mike Alexander Tel: 01343 563445 Network Controller, Infrastructure Group Fax:
01343 563336
Moray Council Email:
mike.alexander () it moray gov uk
___________________________________________ ________________
"The surest sign that intelligent life exists elsewhere
in
the universe is that it has never tried to contact us"
--- Lars Nygård lars () snart com
Current thread:
- Re: Router worm exploiting poor SNMP security. Mike Alexander (Jan 04)
- <Possible follow-ups>
- Re: Router worm exploiting poor SNMP security. Lars Nygård (Jan 09)