[8584] in bugtraq
Re: ISSalert: ISS Security Update
daemon@ATHENA.MIT.EDU (topher)
Tue Nov 17 13:02:47 1998
Date: Tue, 17 Nov 1998 16:12:17 +0000
Reply-To: topher <thughes@CISCO.COM>
From: topher <thughes@CISCO.COM>
To: BUGTRAQ@NETSPACE.ORG
> Hidden community string in SNMP implementation
>
> Synopsis:
>
> Internet Security System (ISS) X-Force has discovered a serious
> vulnerability in Sun Microsystems(r) Solstice(tm) Enterprise Agent(tm)
> and the Solaris operating system. This SNMP hidden community string is
> hard coded into the binary and can not be configured nor is it in the
> configuration files. The hidden Sun SNMP community word is not the same
> as the hidden HP SNMP community string. This vulnerability allows
> attackers to execute arbitrary commands with root privileges, manipulate
> system parameters, and kill processes.
we're having some interesting results with this. In version 1.0.3 of the
SEA SDK (as opposed to just the runtime stuff), the strings 'all public'
and 'all private' are present in the mibiisa binary. It is possible to
read the entire mib using the 'all private' COI, however, we are having
difficulty using either 'private' or 'all private' to write values. This
includes when we have actually configured the SNMP daemon to use
private. =-)
On a system using 1.0.1 it is possible to use the 'all private' to kill
processes, kill connections, etc.... Interestingly, it is also possible
to use 'private' to change the system information. Again, as far as we
can tell, we are _not_ using private as a COI when we can change these
values.
We did not attempt any spoofing.
--topher
