('binary' encoding is not supported, stored as-is) In-Reply-To: <gu97kpfevo7.fsfat_private> Everything I have read concerning SNMP vulnerabilities and printers refer to the Community Name and the fact that most vendors have no method for allowing Administrators to change those strings. Is it possible for an attacker to use default community names of printers to gain access to other parts of the enterprise? Some of the data I have read state that attacking the printer mib using the community string for the printer will only allow attackers to joy ride around the print server and printers. Then other data state that the printers community string will allow attackers to obtain the http passwords and other network access password. 99% of those devices listed were just HP printers and did not state that these printers had the ability to network scan, scan to email, or scan to desktop. This bring another caviot into the mix in that these systems use http, smtp and other ports. Has anyone seen, heard or have any data on vulnerabilities with these systems? John Beuke > >>>>>> "mbl" =3D=3D Marcelo Barbosa Lima <mblimaat_private> writes: > >mbl> These multi vendor vulnerabilities found and advertised in CERT >mbl> scare me. Do you think that it is possible that someone (in black = >hat >mbl> comunity) could to create a powerful worm exploring them? I think = >that >mbl> it is possible. Several network=B4s elements (routers, swiches...)= > and >mbl> operating systems could be compromised in the Internet quickly, in= >stead >mbl> of only HTTP services like in Code Red. What do you think it? > >You will see a worm. However, the odds of routers/switches/printers >ever being compromised is low. It's hard to develop overflow sploits >for devices for which you have neither debuggers nor source code. >They'll crash, but nobody will root them. > >This will be an interesting worm. These SNMP vulnerabilities can be >used either as an infection vector, or as an attack. If they're used >as the infection vector, it will be most interesting. Devices tend to >die with the same packets from the toolkit. This means that your >packet that will root a RedHat box running on Intel will crash a >Cisco, or a Sun, perhaps. Random poking with this exploit will net >more downtime than shells, and will not be very productive. So to use >it as an infection vector, careful network mapping will be required. > >It'll also appear as an attack from the worm. This is more likely to >be truly terrifying. Single packet DoS, spoofed source. > >I'd worry more about targeted attacks. Many boxes are vulnerable, and >attackers have already mapped out most large networks. Either a wide >spread DoS using the worm and SNMP as the attack, or small targeted >attacks against critical systems. One you'll see in lights, the >other, you'll never know about. Both will keep you up late at night. > >ericb >--=20 >Eric Brandwine | When I was a kid and Mom asked me to clean my roo= >m, I >UUNetwork Security | didn't really clean it, I just 'formatted' it. >ericbat_private | >+1 703 886 6038 | - Jay Heiser >Key fingerprint =3D 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E > >-------------------------------------------------------------------------- -- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 18:38:44 PDT