Re: Router worm exploiting poor SNMP security.

[Lars Nygård <lars () SNART COM>]

> > Additional information
> > If you know the SNMP read/write community it 
should 
> > be no problem to upload files to Nortel routers. 
This is 
> > done today with Site Manager. I'm guessing this 
is 
> > done by enabling tftp. 
>
> The way Site Manager operates in uploading files is 
by using tftp.  Thus
> unless you have tftp enabled on the router, you 
would not be able to upload

Enable tftp with SNMP. No problem.

> files.
>
> > BayRS has it's own script language, which I 
believe 
> > can be used to write such a worm. What I'm not 
sure 
> > of is if it's possible to send SNMP packets with 
such 
> > a script. 
>
> True, BayRS does have a scripting language.  But 
these scripts cannot be
> executed without a "TI" session running - in other 
words, either a terminal
> connected to the console port of the router or a CLI-
based 'telnet' session.
> > The problem would be to execute the script on a 
> > remote router. I'm not sure if this is possible. 
>
> It's not, unless you have telnet/physical access to 
the router - hence
> pointless.
>
> > It's however possible to execute ping from a 
remote 
> > router with SNMP (again this can be done with 
Site 
> > Manager).
> > I'm guessing this might makes it possible to find 
an 
> > exploit. Perhaps by modifying the MIB entry  
> > wfIcmp.wfIcmpExecute.1. Only guessing here.

Sniffed a ping session from SM.
The full ping command (ping -r4 -p xxx.xxx.xxx.xxx) 
were show in clear text in the snmp packet to the 
router. The router responded with the output from the 
ping in a smp packet.

What about making your packet with some other 
command than ping. Will that work? Will the 
command be executed in a TI shell on the router?
I'd like to try, but I don't got the tools, knowledge or 
time to experiment with this.

Is it possible to write a nortel script to send such 
modified packets?

> If you want to start "pinging" everyone, I suppose 
so....I don't think
> you've really got a means to exploit any of 
these "issues".  Any network
> manager worth his salt will change the default 
community setup on the router

If the suggested exploit above works, once the worm 
has entered one router, it can read every community 
name on that router and go on to the next.
Administrators are lazy, and most of them define the 
same community through an entire network. 

> anyway (those who don't are inviting trouble).  On 
top of which, as others
> have already pointed out, the task of producing 
this "worm" would be further
> complicated by the wide variety of router 
manufacturers, hardware, software
> revisions (which also affect the MIB assignments) 
etc. etc.  I cannot see
> how a worm could be written that would be generic 
enough to infect all of
> the platforms it would likely encounter.
To make such a worm jump from e.g. Nortel to Cisco 
seems more unlikely to be done.

> In short, I can see many reasons why this 
WOULDN'T work, and few reasons why
> it would.  I think all you've really hit upon here is 
what many network
> managers etc. already know - SNMP is inherently 
insecure.  But I'll give you
> 8/10 for original thought....
>
> Regards,
>
> Mike
___________________________________________
________________
> Mike Alexander                            Tel: 01343 563445
> Network Controller, Infrastructure Group  Fax: 
01343 563336
> Moray Council         Email: 
mike.alexander () it moray gov uk
>
___________________________________________
________________
> "The surest sign that intelligent life exists elsewhere 
in
>  the universe is that it has never tried to contact us"

---
Lars Nygård
lars () snart com