lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48FF5DDC.6060801@procheckup.com>
Date: Wed, 22 Oct 2008 18:07:40 +0100
From: ProCheckUp Research <research@...checkup.com>
To: bugtraq@...urityfocus.com
Subject: SNMP Injection: Achieving Persistent HTML Injection via SNMP on Embedded
 Devices

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SNMP Injection: Achieving Persistent HTML Injection via SNMP on Embedded
Devices

Introduction

In our earlier "ZyXEL Gateways Vulnerability Research" paper[1], we
introduced a new technique: SNMP injection a.k.a. persistent HTML
injection via SNMP. Such a technique allowed us to cause a persistent
HTML injection condition on the web management console of several ZyXEL
Prestige router models.

Provided that an attacker has guessed or cracked the write SNMP
community string of a device, he/she would be able to inject malicious
code into the administrative web interface by changing the values of
OIDs (SNMP MIB objects) that are printed on HTML pages.

The purpose behind injecting malicious code into the web console via
SNMP is to fully compromise the device once the page containing the
payload is viewed by the administrator.

When we came up with the SNMP injection technique, we suspected that
such an attack is possible on a large number of embedded devices in use
in the market, as mentioned on some interviews where our research was
featured[2]. Although the SNMP write community string must be guessed or
cracked for this attack to work, it is worth mentioning that some
devices come with SNMP read/write access enabled by default using common
community strings[3] such as 'public', 'private', 'write' and
'cable-docsis'. Some examples include ZyXEL Prestige router models used
in residential and SOHO networks, Innomedia VoIP gateways[4], some Cisco
routers and phone gateways[5] and other corporate products such as the
Proxim Tsunami devices.

Also, the use of customized but weak SNMP write community strings, and
other weaknesses within the devices SNMP stack implementation should be
taken into account when evaluating the feasibility of this attack.

In order to confirm that this attack affects most SNMP-enabled embedded
devices regardless of model or vendor, we surveyed random embedded
devices that were available in our computer security lab. Overall, we
surveyed network devices from the following vendors:

- - Cisco
- - Proxim
- - 3Com
- - ZyXEL


Complete paper can be downloaded from:
http://www.procheckup.com/PDFs/SNMP_injection.pdf


References

[1] "ZyXEL Gateways Vulnerability Research"
http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf

[2] "SNMP Joins Dark Side in New XSS Attack"
http://www.darkreading.com/document.asp?doc_id=147014

[3] "Multiple Vendor SNMP World Writeable Community Vulnerability"
http://www.securityfocus.com/bid/986/discuss

[4] "Digging into SNMP in 2007 – An Exercise on Breaking Networks"
http://www.ernw.de/content/e7/e181/e671/download690/ERNW_026_SNMP_HitB_Dubai_2007_ger.pdf

[5] "Cisco Security Advisory: DOCSIS Read-Write Community String Enabled
in Non-DOCSIS Platforms"
http://www.securityfocus.com/archive/1/446499



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI/13coR/Hvsj3i8sRAi6FAJ9rNYSvNaDEb+Bt3w1zmQu5XKWmMgCgiiQN
Rlc65HN6FWM2HG8q7yAyvXM=
=j7w8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ