My guess would be that the original poster is trying to exploit the Solaris SNMP hole (where an echo might make some sense since its a Unix box) but didn't know it (or at least didn't articulate it). It came across bugtraq some time ago so a search in the bugtraq archives may be productive. I didn't look closer than to make sure we had already disabled the program involved (probably by removing the SUID bit from the program) so I didn't check the details. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada > > I have to agree with HC on this one, I can't remember echo being in the > list of SNMP Basic functions : > > 1. GET REQUEST > 2. GET NEXT REQUEST > 3. SET REQUEST > 4. GET RESPONSE > 5. TRAP MESSAGE > > Is the original poster referring to an older type of networked device (i.e. > OpenRoute, Proteon, Gator, WellFleet) that previously prompted the user > with > in order to set the SNMP options??? > > *scratching head** > > > At 03:01 PM 7/16/2001 -0700, Ron Russell wrote: > >I cannot speak to the echo reference as well. If he would like to expound > >on it I would be most happy to listen. > > > >And the activity could have been prevented by proper use of ACLs, and the > >proper configuration of SNMP (not using easily guessable strings). I'm also > >sure that there are similar vulnerabilities across server and switch > >platforms, but I have not had the privilege of scanning one. > > > >Ron Russell - MCSE, CCNA, CNE > >480-6-Buddha > >Silicon Buddha LLC > >Enlightened Network Services > >www.siliconbuddha.com > >Offering Free Vulnerability Assessments from the deserts of Phoenix Arizona > >----- Original Message ----- > >From: "H C" <keydet89at_private> > >To: "Ron Russell" <ronat_private>; <pen-testat_private> > >Sent: Monday, July 16, 2001 1:56 PM > >Subject: Re: snmp vulnerablities > > > > > >Ron, > > > >Very interesting input regarding SNMP, though I'm not > >really too clear on what it has to do with the > >original author's use of 'echo' statements in an SNMP > >utility. > > > >One question though...when you downloaded the router > >config, could this activity have been prevented by > >proper configuration of the router itself? Since you > >didn't specify the method used (SNMP?), I thought I'd > >ask for clarification. > > > >Thanks, > > > >Carv > > > >--- Ron Russell <ronat_private> wrote: > > > SNMP can also be used to write configuration > > > parameters to Cisco Routers as > > > well (assuming you have the read/write community > > > string). I have actually > > > successfully downloaded a router config, unencrypted > > > the hash for the > > > passwords, and telnetted into the router. I'm sure > > > that there are multiple > > > other security vulnerabilities here as well. > > > > > > Ron Russell - MCSE, CCNA, CNE > > > 480-6-Buddha > > > Silicon Buddha LLC > > > Enlightened Network Services > > > www.siliconbuddha.com > > > Offering Free Vulnerability Assessments from the > > > deserts of Phoenix Arizona > > > ----- Original Message ----- > > > From: "H Carvey" <keydet89at_private> > > > To: <pen-testat_private> > > > Sent: Saturday, July 14, 2001 6:50 AM > > > Subject: Re: snmp vulnerablities > > > > > > > > > > Hi there. how do you exploit or gain access > > > from vulnerable host using snmp > > > vulnerablities. I've tried to used this command > > > but its not work : > > > > > > > > > > I'm not sure why you would try sending 'echo' > > > commands to the SNMP agent...do any agents > > > have a vulnerability that will allow them to > > > write to the drive? > > > > > > I have always seen SNMP as a great recon > > > protocol, especially when it is misconfigured > > > (ie, default community strings, no restrictions > > > on management stations, etc). On Win2K, you > > > can enum usernames, services, TCP/UDP info, > > > etc. > > > > > > Systems running SNMP can divulge > > > information...if they are misconfigured. This > > > is why many people call SNMP a 'dangerous' > > > protocol. As with anything else, some simple > > > configuration steps can fix that. Yes, if > > > someone installs a sniffer and captures some > > > datagrams containing your SNMPv1 read-write > > > community string, you could most definitely > > > have problems (though I doubt that those > > > problems include the ability to write to the > > > drive). However, if someone is able to load a > > > sniffer on your network, you've got other > > > problems to worry about... > > > > > > > >---------------------------------------------------------------------------- > > > This list is provided by the SecurityFocus Security > > > Intelligence Alert (SIA) > > > Service For more information on SecurityFocus' SIA > > > service which > > > automatically alerts you to the latest security > > > vulnerabilities please see: > > > https://alerts.securityfocus.com/ > > > > > > > > > > > >__________________________________________________ > >Do You Yahoo!? > >Get personalized email addresses from Yahoo! Mail > >http://personal.mail.yahoo.com/ > > > > > > > >---------------------------------------------------------------------------- > >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > >Service For more information on SecurityFocus' SIA service which > >automatically alerts you to the latest security vulnerabilities please see: > >https://alerts.securityfocus.com/ > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 11:47:45 PDT