Re: Microsoft Windows NT & 2000 SNMP Registry Key Modification Vulnerability

[David LeBlanc <dleblanc () MINDSPRING COM>]

There's some omissions, and a couple of corrections that need to be made -

At 10:46 PM 12/7/2000 -0800, Elias Levy wrote:
> Title:         Microsoft Windows NT & 2000 SNMP Registry Key Modification
>               Vulnerability

> The SNMP service in Windows NT 4.0 and 2000 enables the remote management
> of the computer. Loose permissions in the registry key
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters
> allow malicious users with access to the registry to read the SNMP
> community names stored in the ValidCommunities key value. This allows the
> malicious users to manage the computer via SNMP.

Malicious users also can sniff the network and obtain these same strings.
This is one of many reasons that my friend Mike Warfield refers to SNMP as
Security Not My Problem. The protocol (at least v1) is inherently insecure.
It hardly seems to be worthwhile to go to a lot of trouble trying to secure
something that is normally broadcast in the clear all over the network.

> The malicious users could also change the community names by modifying
> the registry key thus denying authorized users access to the machine
> via SNMP.

Actually, this is incorrect (which also needs to be corrected in the source
bulletin). By default, the permissions on this section of the registry
resolve to:

admins:F
server ops:change
everyone:R

There are slight variations between Win2k and NT 4.0, and depend on the
role of the system, but the above is a reasonable summary. So by default,
users cannot change these strings.

Another point would be what the strings actually get you. Unless the
community string allows write access, the users can't manage anything, just
gather information. The information which is made available by only a
read-only community string would normally be freely available to local
users in any case.

Furthermore, the summary (but not the original bulletin) also leaves out
the important point of remote access to this portion of the registry.
Windows 2000 (both Pro and Server) does not allow remote non-admin access
to this portion of the registry. NT 4.0 Server behaves the same way. NT 4.0
Workstation depends upon whether one of the last registry patches have been
applied. Understanding the remote implications of this issue are important.

> Credit:
>
> Discovered by Chris Anley from @stake (http://www.atstake.com) and posted
in a
> Microsoft Security Bulletin (MS00-095) and (MS00-096) on Dec 6, 2000.

Another reference which should be cited is
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9811&L=NTBUGTRAQ&P=R
2115

In that post, dated 11/17/1998, NAI states:

"The SNMP Service parameters are stored in the registry
and are readable by all users.  A user with an account on the system
can read the list of configured community names and use the community
name to access the SNMP Service."

A further reference is the Internet Security Systems' Internet Scanner help
system, and I cite v4.3.2 (I don't recall whether I put that check in
earlier versions - they're currently at 6.x):

Windows NT SNMP Community Name

Windows NT exports a large amount of information through SNMP, including
shares, user names, and the status of running services.  The only
authentication available is by knowing the community name, which is stored
in the registry under
System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities.  If
this information is readable by everyone, an intruder could gather
information which is normally only available to administrator level users.
Set permissions on this key to allow access to administrators and system only.

Note that the modification date on that helpfile was Wednesday, July 02,
1997, 1:00:00 PM. To say that Chris discovered this issue is a bit of a
stretch when there are at least two publicly available references that
substantially predate this announcement. The archives of the ISS original
ntsecurity mailing list seem to be lost, but I know I discussed this issue
prior to adding it to the Scanner. Given that many other security auditing
tools are surely a superset of what the ISS Scanner checked for 3 years
ago, I'd bet a check for permissions on this key are in other shipping
products as well.

I'm glad that the default permissions on these keys have finally been
changed to something more appropriate, but the fact of the matter is that
the underlying protocol is insecure, and IMNSHO, merely changing
permissions on a few registry keys is not going to be much real help if you
choose to allow SNMP communities with write access on your network. There
are too many alternative ways to obtain the same information.


David LeBlanc
dleblanc () mindspring com