Re: NAI-30: Windows NT SNMP Vulnerabilities

From: Friedrichs, Oliver (Oliver_Friedrichsat_private)
Date: Wed Nov 18 1998 - 12:05:56 PST

Next message: Christian Esken: "KDE Screensaver vulnerability"

Previous message: Dave G.: "Re: NAI-30: Windows NT SNMP Vulnerabilities"
Maybe in reply to: Security Research Labs: "NAI-30: Windows NT SNMP Vulnerabilities"
Next in thread: David LeBlanc: "Re: NAI-30: Windows NT SNMP Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        >>By setting variables, an attacker can modify the IP routing table
        >>and the ARP table.  An attacker can also bring interfaces up and
down
        >>and set critical networking parameters such as the default IP
        >>time-to-live (TTL) and IP forwarding.  These settings allow an
attacker
        >>to redirect network traffic, impersonate other machines or deny
the
        >>machine access to the network.

        >Given that a typical local user who is allowed to read the
community
        >strings from the registry can unplug the network cable, this won't
be an
        >issue on most workstations with respect to the console user(s).  It
may be
        >of more concern on a terminal server.  This leaves the typical
insecurities
        >associated with SNMP, which affect any device running that
protocol.

        Actually, the main problem pointed out in the advisory is the fact
that NT
        ships with a community name of "public" by default AND, unlike most
        SNMP agents, allows any community to be used to set important
networking
        variables.  The registry permissions were a side-note, which have
been
        documented and known for many years as you said, however are
        still showing up frequently.

        The real issue, which was previously not common knowledge, is that
you
        can reconfigure important networking parameters on any default NT
        installation running Windows NT SNMP.  In the past, certain
firewalls
        shipped with NT SNMP enabled, and most people only thought that
        you could obtain information from these systems.  This highlights
        the fact that you could also have changed the systems routing table,
        brought interfaces up and down, and turned on IP forwarding.  This
        is made worse by the fact that there was no way, prior to service
pack
        4, to restrict this functionality.  If you knew the community name,
you
        could set these variables.  You weren't able to configure a
community
        as read-only.

        >>On NT 5.0, the permissions on this key will be set securely by
        >>default.

        >This isn't true, but NT 5.0 is beta software and very well could
change
        >before release.

        According to Microsoft this will be the case.

        Cheers,

        - Oliver
          Network Associates, Inc.
          (408) 436-3304

Next message: Christian Esken: "KDE Screensaver vulnerability"
Previous message: Dave G.: "Re: NAI-30: Windows NT SNMP Vulnerabilities"
Maybe in reply to: Security Research Labs: "NAI-30: Windows NT SNMP Vulnerabilities"
Next in thread: David LeBlanc: "Re: NAI-30: Windows NT SNMP Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:50 PDT