Bugtraq mailing list archives

Re: NAI-30: Windows NT SNMP Vulnerabilities

From: Oliver_Friedrichs () NAI COM (Friedrichs, Oliver)
Date: Wed, 18 Nov 1998 12:05:56 -0800


        >>By setting variables, an attacker can modify the IP routing table
        >>and the ARP table.  An attacker can also bring interfaces up and
down
        >>and set critical networking parameters such as the default IP
        >>time-to-live (TTL) and IP forwarding.  These settings allow an
attacker
        >>to redirect network traffic, impersonate other machines or deny
the
        >>machine access to the network.

        >Given that a typical local user who is allowed to read the
community
        >strings from the registry can unplug the network cable, this won't
be an
        >issue on most workstations with respect to the console user(s).  It
may be
        >of more concern on a terminal server.  This leaves the typical
insecurities
        >associated with SNMP, which affect any device running that
protocol.

        Actually, the main problem pointed out in the advisory is the fact
that NT
        ships with a community name of "public" by default AND, unlike most
        SNMP agents, allows any community to be used to set important
networking
        variables.  The registry permissions were a side-note, which have
been
        documented and known for many years as you said, however are
        still showing up frequently.

        The real issue, which was previously not common knowledge, is that
you
        can reconfigure important networking parameters on any default NT
        installation running Windows NT SNMP.  In the past, certain
firewalls
        shipped with NT SNMP enabled, and most people only thought that
        you could obtain information from these systems.  This highlights
        the fact that you could also have changed the systems routing table,
        brought interfaces up and down, and turned on IP forwarding.  This
        is made worse by the fact that there was no way, prior to service
pack
        4, to restrict this functionality.  If you knew the community name,
you
        could set these variables.  You weren't able to configure a
community
        as read-only.

        >>On NT 5.0, the permissions on this key will be set securely by
        >>default.

        >This isn't true, but NT 5.0 is beta software and very well could
change
        >before release.

        According to Microsoft this will be the case.

        Cheers,

        - Oliver
          Network Associates, Inc.
          (408) 436-3304

Current thread:

NAI-30: Windows NT SNMP Vulnerabilities Security Research Labs (Nov 17)
- <Possible follow-ups>
- Re: NAI-30: Windows NT SNMP Vulnerabilities David LeBlanc (Nov 18)
- Re: NAI-30: Windows NT SNMP Vulnerabilities Dave G. (Nov 18)
  - Re: NAI-30: Windows NT SNMP Vulnerabilities David LeBlanc (Nov 18)
  - The Son of Cuartango Hole condor () SEKURE ORG (Nov 19)
  - IRIX Vulnerability in ToolTalk RPC Service SGI Security Coordinator (Nov 19)
  - NetBSD Security Advisory 1998-005 matthew green (Nov 19)
- Re: NAI-30: Windows NT SNMP Vulnerabilities Friedrichs, Oliver (Nov 18)