Re: NAI-30: Windows NT SNMP Vulnerabilities

[dleblanc () MINDSPRING COM (David LeBlanc)]

At 12:45 PM 11/17/98 -0800, Security Research Labs wrote:

> If the SNMP Service is reconfigured with a more secure community name,
> the system is still vulnerable to attack from users with an account on
> the system.  The SNMP Service parameters are stored in the registry
> and are readable by all users.  A user with an account on the system
> can read the list of configured community names and use the community
> name to access the SNMP Service.  With write access to the SNMP
> community, a user can perform actions that are usually restricted to
> users with privileged access.

Something that is important to note here is that on default installs of
both NT Server and Workstation, remote access to this portion of the
registry is restricted to administrators.  By default, local access to the
registry of a server will be restricted to privileged users, so it is false
that the community strings can be obtained by any user with an account on
the system.  That statement is only true regarding local access to a
workstation.  Note that I have recommended for well over a year that people
set the access controls to this registry key to admins:F, system:F.  For
details on how to do this, please refer to the help system of the ISS
scanner - any version since 4.3 will contain this check and instructions.

> Remote individuals with network access to a machine running the Windows
> NT SNMP Service can query and set any of the system management
> variables that are supported.  Information that can be queried includes:
>
> - the LAN Manager domain name
> - a list of users
> - a list of shares
> - a list of running services

As documented in the ISS scanner help system (any version since 5.0), you
may disable just this portion of the SNMP mibs by:

Open the
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents key,
locate the value which contains
SOFTWARE\Microsoft\LANManagerMIB2Agent\CurrentVersion' and remove it.

If your network managment practices do not require this information (which
is freely available via more secure mechanisms), it is best to disable the
LM extensions to the SNMP service.  It may be worthwhile to examine all of
the extension agents, and only enable those which are required.

> By setting variables, an attacker can modify the IP routing table
> and the ARP table.  An attacker can also bring interfaces up and down
> and set critical networking parameters such as the default IP
> time-to-live (TTL) and IP forwarding.  These settings allow an attacker
> to redirect network traffic, impersonate other machines or deny the
> machine access to the network.

Given that a typical local user who is allowed to read the community
strings from the registry can unplug the network cable, this won't be an
issue on most workstations with respect to the console user(s).  It may be
of more concern on a terminal server.  This leaves the typical insecurities
associated with SNMP, which affect any device running that protocol.

> On NT 5.0, the permissions on this key will be set securely by
> default.

This isn't true, but NT 5.0 is beta software and very well could change
before release.


David LeBlanc
dleblanc () mindspring com