Penetration Testing mailing list archives

Re: snmp vulnerablities

From: Jon DeShirley <jond () uidaho edu>
Date: Tue, 17 Jul 2001 10:58:28 -0700 (PDT)


I can only assume that the original poster was trying to exploit a bug
in HP's OpenView SNMP trap daemon.  This bug was posted to BugTraq
about a month ago.  (http://www.securityfocus.com/archive/1/189616 for
those interested)

However, I haven't been able to verify that this bug actually exists
since HP does not have any record of the patch mentioned in the
advisory.  The original advisory also mentions that the binary is suid
root, however, in my experience it drops it's privledges and runs as
bin.  bin isn't quite as nice as root, but it would work for spawning a
remote shell above 1024 with another inetd daemon (as the original
poster was trying).  

--jon


On 16 Jul, mht () clark net wrote:

I have to agree with HC on this one, I can't remember echo being in the 
list of SNMP Basic functions :

1. GET REQUEST
2. GET NEXT REQUEST
3. SET REQUEST
4. GET RESPONSE
5. TRAP MESSAGE

Is the original poster referring to an older type of networked device (i.e. 
OpenRoute, Proteon, Gator, WellFleet) that previously prompted the user 
with > in order to set the SNMP options???

*scratching head**


At 03:01 PM 7/16/2001 -0700, Ron Russell wrote:

I cannot speak to the echo reference as well.  If he would like to expound
on it I would be most happy to listen.

And the activity could have been prevented by proper use of ACLs, and the
proper configuration of SNMP (not using easily guessable strings).  I'm also
sure that there are similar vulnerabilities across server and switch
platforms, but I have not had the privilege of scanning one.

Ron Russell - MCSE, CCNA, CNE
480-6-Buddha
Silicon Buddha LLC
Enlightened Network Services
www.siliconbuddha.com
Offering Free Vulnerability Assessments from the deserts of Phoenix Arizona
----- Original Message -----
From: "H C" <keydet89 () yahoo com>
To: "Ron Russell" <ron () siliconbuddha com>; <pen-test () securityfocus com>
Sent: Monday, July 16, 2001 1:56 PM
Subject: Re: snmp vulnerablities


Ron,

Very interesting input regarding SNMP, though I'm not
really too clear on what it has to do with the
original author's use of 'echo' statements in an SNMP
utility.

One question though...when you downloaded the router
config, could this activity have been prevented by
proper configuration of the router itself?  Since you
didn't specify the method used (SNMP?), I thought I'd
ask for clarification.

Thanks,

Carv

--- Ron Russell <ron () siliconbuddha com> wrote:

SNMP can also be used to write configuration
parameters to Cisco Routers as
well (assuming you have the read/write community
string).  I have actually
successfully downloaded a router config, unencrypted
the hash for the
passwords, and telnetted into the router.  I'm sure
that there are multiple
other security vulnerabilities here as well.

Ron Russell - MCSE, CCNA, CNE
480-6-Buddha
Silicon Buddha LLC
Enlightened Network Services
www.siliconbuddha.com
Offering Free Vulnerability Assessments from the
deserts of Phoenix Arizona
----- Original Message -----
From: "H Carvey" <keydet89 () yahoo com>
To: <pen-test () securityfocus com>
Sent: Saturday, July 14, 2001 6:50 AM
Subject: Re: snmp vulnerablities

Hi there. how do you exploit or gain access

from vulnerable host using snmp
vulnerablities. I've tried to used this command
but its not work :


I'm not sure why you would try sending 'echo'
commands to the SNMP agent...do any agents
have a vulnerability that will allow them to
write to the drive?

I have always seen SNMP as a great recon
protocol, especially when it is misconfigured
(ie, default community strings, no restrictions
on management stations, etc).  On Win2K, you
can enum usernames, services, TCP/UDP info,
etc.

Systems running SNMP can divulge
information...if they are misconfigured.  This
is why many people call SNMP a 'dangerous'
protocol.  As with anything else, some simple
configuration steps can fix that.  Yes, if
someone installs a sniffer and captures some
datagrams containing your SNMPv1 read-write
community string, you could most definitely
have problems (though I doubt that those
problems include the ability to write to the
drive).  However, if someone is able to load a
sniffer on your network, you've got other
problems to worry about...



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

snmp vulnerablities slash underground (Jul 13)
- <Possible follow-ups>
- Re: snmp vulnerablities H Carvey (Jul 16)
  - Re: snmp vulnerablities Ron Russell (Jul 16)
    - Re: snmp vulnerablities H C (Jul 16)
    - Re: snmp vulnerablities Ron Russell (Jul 16)
    - Re: snmp vulnerablities mht (Jul 17)
    - Re: snmp vulnerablities Jon DeShirley (Jul 17)
    - Re: snmp vulnerablities Peter Van Epp (Jul 17)
    - Re: snmp vulnerablities mht (Jul 17)
    - Re: snmp vulnerablities Dave Ryan (Jul 17)
- RE: snmp vulnerablities woody weaver (Jul 17)
  - Re: snmp vulnerablities Ron Russell (Jul 17)
- RE: snmp vulnerablities Petruzel, Oliver (Jul 18)
- Re: snmp vulnerablities H Carvey (Jul 22)
  - RE: snmp vulnerabilities Dom De Vitto (Jul 22)