[8597] in bugtraq
Re: NAI-30: Windows NT SNMP Vulnerabilities
daemon@ATHENA.MIT.EDU (Friedrichs, Oliver)
Wed Nov 18 15:47:16 1998
Date: Wed, 18 Nov 1998 12:05:56 -0800
Reply-To: "Friedrichs, Oliver" <Oliver_Friedrichs@NAI.COM>
From: "Friedrichs, Oliver" <Oliver_Friedrichs@NAI.COM>
X-To: David LeBlanc <dleblanc@MINDSPRING.COM>
To: BUGTRAQ@NETSPACE.ORG
>>By setting variables, an attacker can modify the IP routing table
>>and the ARP table. An attacker can also bring interfaces up and
down
>>and set critical networking parameters such as the default IP
>>time-to-live (TTL) and IP forwarding. These settings allow an
attacker
>>to redirect network traffic, impersonate other machines or deny
the
>>machine access to the network.
>Given that a typical local user who is allowed to read the
community
>strings from the registry can unplug the network cable, this won't
be an
>issue on most workstations with respect to the console user(s). It
may be
>of more concern on a terminal server. This leaves the typical
insecurities
>associated with SNMP, which affect any device running that
protocol.
Actually, the main problem pointed out in the advisory is the fact
that NT
ships with a community name of "public" by default AND, unlike most
SNMP agents, allows any community to be used to set important
networking
variables. The registry permissions were a side-note, which have
been
documented and known for many years as you said, however are
still showing up frequently.
The real issue, which was previously not common knowledge, is that
you
can reconfigure important networking parameters on any default NT
installation running Windows NT SNMP. In the past, certain
firewalls
shipped with NT SNMP enabled, and most people only thought that
you could obtain information from these systems. This highlights
the fact that you could also have changed the systems routing table,
brought interfaces up and down, and turned on IP forwarding. This
is made worse by the fact that there was no way, prior to service
pack
4, to restrict this functionality. If you knew the community name,
you
could set these variables. You weren't able to configure a
community
as read-only.
>>On NT 5.0, the permissions on this key will be set securely by
>>default.
>This isn't true, but NT 5.0 is beta software and very well could
change
>before release.
According to Microsoft this will be the case.
Cheers,
- Oliver
Network Associates, Inc.
(408) 436-3304
