snmpXdmid in Software

Printer Quick Response Code in Software snmpXdmid

Simple Network Management Protocol (SNMP)

Popularity: Simplicity: Impact: Risk Rating: 8 9 8 8

Simple Network Management Protocol (SNMP) is the lifeblood of many networks and is present on virtually every type of device This protocol allows devices (routers, switches, servers, and so on) to be managed across many enterprises and the Internet Unfortunately, SNMP isn t the most secure protocol Even worse, several buffer overflow conditions were found in SNMP that affect dozens of vendors and hundreds of different platforms Much of the research related to this vulnerability was discovered by the Protos Project (http://wwweeoulufi/research/ouspg/protos/testing/c06/snmpv1) and their corresponding Protos test suite The Protos Project focused on identifying weaknesses in the SNMPv1 protocol associated with trap (messages sent from agents to managers) and request (messages sent from managers to agents) handling These vulnerabilities range from causing a denial of service (DoS) condition to allowing an attacker to execute

commands remotely The following example illustrates how an attacker can compromise a vulnerable version of SNMPD on an unpatched OpenBSD platform:

[roz]$ /ucd-snmpd-cs 10011 161 $ nc 10011 2834 id uid=0(root) gid=0(root) group=0(root)

As you can see from this example, it is easy to exploit this overflow and gain root access to the vulnerable system It took little work for us to demonstrate this vulnerability, so you can imagine how easy it is for the bad guys to set their sights on all those vulnerable SNMP devices!

Several countermeasures should be employed to mitigate the exposures presented by this vulnerability First, it is always a good idea to disable SNMP on any device that does not explicitly require it To help identify those devices, you can use SNScan, a free tool from Foundstone that can be downloaded from http://wwwfoundstonecom Next, you should ensure that you apply all vendor-related patches and update any firmware that might have used a vulnerable implementation of SNMP For a complete and expansive list, see http://wwwcertorg/advisories/CA-2002-03html In addition, you should always change the default public and private community strings, which are essentially passwords for the SNMP protocol Finally, you should apply network filtering to devices that have SNMP enabled and allow access only from the management station This recommendation is easier said than done, especially in a large enterprise, so your mileage may vary

Popularity: Simplicity: Impact: Risk Rating: 8 9 8 8

To quote Sun Microsystems, The network is the computer Without a network, a computer s utility diminishes greatly Perhaps that is why the Network File System (NFS) is one of the most popular network-capable file systems available NFS allows transparent access to files and directories of remote systems as if they were stored locally NFS versions 1 and 2 were originally developed by Sun Microsystems and have evolved considerably Currently, NFS version 3 is employed by most modern flavors of UNIX At this point, the red flags should be going up for any system that allows remote access of an exported file system The potential for abusing NFS is high and is one of the more

5:

common UNIX attacks Many buffer overflow conditions related to mountd, the NFS server, have been discovered Additionally, NFS relies on RPC services and can be easily fooled into allowing attackers to mount a remote file system Most of the security provided by NFS relates to a data object known as a file handle The file handle is a token used to uniquely identify each file and directory on the remote server If a file handle can be sniffed or guessed, remote attackers could easily access that file on the remote system The most common type of NFS vulnerability relates to a misconfiguration that exports the file system to everyone That is, any remote user can mount the file system without authentication This type of vulnerability is generally a result of laziness or ignorance on the part of the administrator, and it s extremely common Attackers don t need to actually break into a remote system All that is necessary is to mount a file system via NFS and pillage any files of interest Typically, users home directories are exported to the world, and most of the interesting files (for example, entire databases) are accessible remotely Even worse, the entire / directory is exported to everyone Let s take a look at an example and discuss some tools that make NFS probing more useful Let s examine our target system to determine whether it is running NFS and what file systems are exported, if any:

[sigma]# rpcinfo -p itchy program vers proto 100000 4 tcp 100000 3 tcp 100000 2 tcp 100000 4 udp 100000 3 udp 100000 2 udp 100235 1 tcp 100068 2 udp 100068 3 udp 100068 4 udp 100068 5 udp 100024 1 udp 100024 1 tcp 100083 1 tcp 100021 1 udp 100021 2 udp 100021 3 udp 100021 4 udp 100021 1 tcp 100021 2 tcp 100021 3 tcp port 111 111 111 111 111 111 32771 32772 32772 32772 32772 32773 32773 32772 4045 4045 4045 4045 4045 4045 4045