Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNMP vuln dated in 1997

From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 21 Feb 2002 15:17:36 -0600 (CST)
On Wed, 20 Feb 2002, Wes Hardaker wrote:


On Tue, 19 Feb 2002 09:39:29 +0000, "david evlis reign" <davidreign () hotmail com> said:


david> http://www.phrack.org/show.php?p=50&a=7

david> four years old and you think this is a *new* problem, exploit
david> code/exploit tools/exploit inormation has been floating around for
david> years.

Oh please, that's just describing the vulnerabilities everyone knows
exists with SNMPv1.  Switch a secure version of the protocol (like it
even suggests in the document) and everything stated there goes away.
The document describes none of the problems that everyone is talking
about this month.


Would not a more secure version of snmp be snmpv2 or snmpv3?  If so, then
the cert advisory is dealing with snmpv1 from what I read:


...
 CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implemen (p5 of
120)
   Version 1 of the protocol (SNMPv1) defines several types of SNMP
   messages that are used to request information or configuration
   changes, respond to requests, enumerate SNMP objects, and send
   unsolicited alerts. The Oulu University Secure Programming Group
   (OUSPG, http://www.ee.oulu.fi/research/ouspg/) has reported numerous
   vulnerabilities in SNMPv1 implementations from many different vendors.
   More information about SNMP and OUSPG can be found in Appendix C

   OUSPG's research focused on the manner in which SNMPv1 agents and
   managers handle request and trap messages. By applying the PROTOS
   c06-snmpv1 test suite
...

Afterall, most vendors still impliment snmpv1 for compatability issues do
they not?  Especially those hardcoded implementations such as those
coming out on old HP directjet cards and such, yes?  Perhaps I'm as wrong
as David in this, and am certainly up to being corrected.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.
Previous By Date Next
Previous By Thread Next

Current thread: