Security Incidents mailing list archives

SNMP vulnerability test?

From: "Davis Ray Sickmon, Jr" <midryder () midnightryder com>
Date: Tue, 12 Feb 2002 16:47:29 -0600

Besides crashing the device, what's the best way to test for the SNMP
vulnerability?  I've got some hardware out there (Savin printers) that are
leased (and thus, I have no admin access to them!), and have SNMP on by
default.  I can test against similar hardware here in the offices, but I'd
rather not crash the accounting / office people's favorite copier / printer
;-)  I've seen three separate lists of hardware that is vulnerable, but none
of them look very complete.

(I know, I know - it's a bloody printer.  Big deal if it crashes, right?
Well, I'll get tired of listenin' to people whine if it's down for even 30
seconds.  Plus I figure it might be nice information to pass on if there's a
"friendly" way to determine vulnerability.)

J R Sickmon,
Creek Electric, Inc.

(Or whoever I am at this hour...)

----- Original Message -----
From: "Arthur Donkers" <arthur () reseau nl>
To: <incidents () lists securityfocus com>
Sent: Tuesday, February 12, 2002 2:55 PM
Subject: Re: new SNMP vuln?

On Tue, 12 Feb 2002, jason wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.cert.org/advisories/CA-2002-03.html


This is de URL of the Uni from Finland that started it all:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html

read and weep....

grtz,

Arthur


- ----- Original Message -----
From: "H C" <keydet89 () yahoo com>
To: "Gary Golomb" <gee_two () yahoo com>;
<incidents () lists securityfocus com>
Sent: Thursday, February 07, 2002 3:06 PM
Subject: Re: new SNMP vuln?

Gary,

Not too much technical detail, but I would think that
this relates back to failing to change the default
community strings.  If this is in fact the case, it
really isn't anything new.



--- Gary Golomb <gee_two () yahoo com> wrote:


Hello all!

This is the third time in the past 24 hours I have
heard about this from
*completely* different sources, but cannot find
anything on it. Does anyone
here have additional details? Have any of the
up-and-running honeypots seen
anything?

Thank you in advance!

-gary

I got a call from one of my customers last night

who just

returned from a
North American Network Operators' Group (NANOG)

security conference.

Apparently, a tool was written in a university in

Finland

that exploits
SNMP vulnerabilities.  One of the many things it

does is send

1 packet to a
router that disables the router.

The tool was removed from several web sites in

order to give vendors a

chance to react--but you know how that goes.

Whether it is

in the wild now
or not, is not the pressing issue.  The issue is

that it will be soon.


It was explained that it was tested on a Cisco and

Nortel

router and proven
effective.  They are already working on a fix.  I

was

informed that they
tried to call some guy named "Henry Fiallo" to

inform us as well.



Gary Golomb
Research Engineer, Intrusion Detection
Enterasys Networks
7160 Columbia Gateway Dr, #201
Columbia, MD 21044
Phone:  410-312-3194 x223
FAX:    410-312-4840
Email:  ggolomb () enterasys com
www:    http://www.enterasys.com/ids/

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

--------------------------------------------------------------------
--------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

--------------------------------------------------------------------
-------- This list is provided by the SecurityFocus ARIS analyzer
service.
For more information on this free incident handling, management

and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPGlwSlL3u0OElmjPEQKNWgCg7laRBqP0sQfd3dNgl8kKMe0rN50AoJ8/
eAZGKN5FdtbFYsLzMwXLu5Rf
=Ccfb
-----END PGP SIGNATURE-----


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new SNMP vuln? Gary Golomb (Feb 07)
- Re: new SNMP vuln? Mike Lewinski (Feb 07)
  - Re: new SNMP vuln? James (Feb 07)
- Re: new SNMP vuln? H C (Feb 07)
  - Re: new SNMP vuln? jason (Feb 12)
    - Re: new SNMP vuln? Arthur Donkers (Feb 12)
    - SNMP vulnerability test? Davis Ray Sickmon, Jr (Feb 12)
    - Re: SNMP vulnerability test? Eric Brandwine (Feb 13)
    - Re: SNMP vulnerability test? Valdis . Kletnieks (Feb 13)
    - Re: SNMP vulnerability test? Eric Brandwine (Feb 13)
    - Re: SNMP vulnerability test? Valdis . Kletnieks (Feb 13)
    - Re: SNMP vulnerability test? Chris Ess (Feb 13)
- <Possible follow-ups>
- RE: new SNMP vuln? Rob Keown (Feb 12)
  - Re: new SNMP vuln? Patrick Oonk (Feb 12)