Re: ISS Security Advisory: Hidden community string in SNMP

[rmuzzio () ZDNETMAIL COM (Raphael Muzzio)]

Roland,

Actually the message posted by X-Force is referring to backdoor passwords found embedded in the binaries in the Solaris 
and HP SNMP agents listed.  I have noticed X-Force advisories typically are not full disclosure, so I went ahead and 
dug into the agents with a binary editor and found the following passwords:

Solaris: all private
HP: snmpd

These passwords are NOT stored in the snmp.conf, and as far as I can tell from testing, cannot be disabled.  I have not 
tested against the patched versions of the Sun binaries - can someone try this community string on the new agents?

In the last few months this list has seen backdoors in 3COM, HP and Sun products.  Is this common practice among 
vendords today?

-Raphael

Roland Grefer (btirg () ui uis doleta gov)
Thu, 5 Nov 1998 16:25:20 -0500

In reply to: Jean Chouanard: "Re: ISS Security Advisory: Hidden community string in SNMP"
> At 02:47 PM 11/2/98 -0800, someone using X-Force's login wrote:
> > ISS Security Advisory
> > November 2nd, 1998
> >
> > Hidden community string in SNMP implementation

The community string in the SNMP implementation actually is NOT hidden,
but rather accessible in plain text form in

        /etc/snmp/conf/snmp.conf

(by default there, or another location when modified; snmpdx usually
should be started with the "-c /pathname/snmp.conf" option to control
which configuration file is being used.

The relevant entries are the strings assigned to

        system-group-read-community     public
        system-group-write-community    private
        read-community                  public
        write-community                 private

It is recommended that these "passwords" be changed from their default
values (above: public/private) to avoid security compromises.



Free web-based email, anytime, anywhere!
ZDNet Mail - http://www.zdnetmail.com