lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Aug 2003 13:34:33 +0400 (MSD)
From: "Alexander V. Nickolenko" <sawny@...timedia.ru>
To: bugtraq@...urityfocus.com
Subject: SNMPc v5 and v6 remote vulnerability


Topic:			SNMPc v5 and v6 remote vulnerability
Impact: 		Any remote user can gain Supervisor access to NMS
Versions affected:	All versions up to and including 6.0.8
Fix:			available 
Remote: 		yes
Exploit:		available

I.   Description

 SNMPc is a general-purpose Distributed Network Manager by Castle Rock
Computing that suitable as a cost-effective solution for small and
middle-range networks. Due to weak authentication protocol any remote user can gain Supervisor access to SNMPc server.

II.  Detailed Description
 
As for SNMPc is distributed system it consists of several components. Server components execute at a centralized computer and maintain centralized databases, including configuration, map topology, event log files and user information. User must start a remote login Console or JAVA console to view and control the SNMPc system. Authentication scheme used by remote console is rather simple  - all authentication is done at the client side. 

During login phase, after some initial exchange (probably version negotiation) remote console sends username to server. Server replies with block of user's data - username, real name, phone number, user's group etc. exactly as it is stored in internal database in file ntuserdb.dat. This also includes user's password "encrypted" with some variation of simple substitution. Thus actual password of any known user can be easily revealed.

Fortunately to attacker there is default user Administrator, which can't be deleted. Administrator's Supervisor privileges can't be lowered.

III. Impact

As for snmp read/write community of network devices, network structure and other sensitive information can be stored in NMS database this can be serious security problem.

IV.  Workaround

Use packet filter in order to allow only trusted workstations connect to SNMPc server. SNMPc listens on udp ports 162,164 and tcp ports 165,166,167,168,12421. 
162/udp listens for generic snmp traps from network devices,
165/tcp used by remote login console, 12421 by JAVA console.
Given exploit needs only 165/tcp to work. 
JAVA version of console is not tested and also can be vulnerable.

V.   Solution  

Castle Rock Computing created a fix, which prevents active attacks.

The client should send the user information to the server and have the
server perform the login verification.

A fix for version 6.0 is posted at the following locations:

http://www.castlerock.com/download/fix821_608.zip (vers 6.0.8)
http://www.castlerock.com/download/fix821_605.zip (vers 6.0.5)

Stop snmpc and unzip the appropriate file into the snmpc server install
directory.

For version 5.1, a full release is available at:

http://www.castlerock.com/download/snmpc519.exe


VI. Vendor status.

2003-08-11 - We notified Castle Rock Computing helpdesk about vulnerability in version 6.x. 
2003-08-14 - Castle Rock Computing created a fix.


VII. Exploit
 Here is simple script that demonstrates this vulnerability. You need SNMPc remote login console, ethereal and some flavor of perl (say Cygwin) installed on your Windows workstation in order this exploit to work.
Run it as follows 
"C:\Program Files\Ethereal\tethereal.exe" -lnV port 165 | C:\cygwin\bin\perl.exe 0wn-snmpc.pl

Try to login to server as Administrator with empty password.
As for space is valid symbol in password this script will print 'decrypted' password limited by semicolons.










View attachment "0wn-snmpc.pl" of type "TEXT/PLAIN" (743 bytes)

Powered by blists - more mailing lists