ISS X-Force Database: protos-snmp-tool(8115): PROTOS c06-SNMPv1 test suite can be used to attack systems running SNMP

PROTOS c06-SNMPv1 test suite can be used to attack systems running SNMP

protos-snmp-tool (8115)

High Risk

Description:

The PROTOS c06-SNMPv1 test suite, developed by the University of Oulu of Linnanmaa, Finland, was designed to send thousands of test-cases to SNMP daemons from a remote system in order to discover programming flaws or exploitable vulnerabilities. This tool has the immediate ability to crash SNMP daemons and hardware devices running SNMP. The circulation of this tool may lead to the widespread use of new exploits to crash or compromise vulnerable systems. SNMP is univerally present on the Internet as a network management protocol. Nearly every operating system, router, switch, cable or DSL modem, and firewall is shipped with an SNMP service.

This tool is extremely thorough and is perceived to be the most exhaustive SNMP testing tool available. It launches various combinations of six main types of test-cases:

bit pattern exception
BER (Basic Encoding Rules) encoding exception
format string exception
integer value exception
missing symbol exception
overflow exception

The effectiveness of the tool is increased by targeting broadcast addresses. As a result, the reach of the tool can be greatly extended by attacking many devices simultaneously.

Platforms Affected:

Various vendors, SNMPv1

Remedy:

System administrators should assess their exposure to SNMP traffic (ports 161 and 162 TCP/UDP). Individual users should assess their exposure or contact their cable modem, DSL modem, or router vendor to inquire about potential issues. In addition, home users should consider installing perimeter defenses in the form of a router with filtering capabilities, and personal firewall software with intrusion detection capabilities.

Consequences:

Gain Access

References:

BugTraq Mailing List, Tue Feb 12 2002 - 18:45:49 CST, more SNMP notes at http://archives.neohapsis.com/archives/bugtraq/2002-02/0121.html.
CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) at http://www.cert.org/advisories/CA-2002-03.html.
CIAC Information Bulletin M-042, Multiple Vulnerabilities in Multiple Implementations of SNMP at http://www.ciac.org/ciac/bulletins/m-042.shtml.
Internet Security Systems Security Alert #110, PROTOS Remote SNMP Attack Tool at http://www.iss.net/xforce/alerts/id/advise110.
University of Oulu Web site, PROTOS Test-Suite: c06-snmpv1 at http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/.
MDKSA-2002:014: Updated ucd-snmp packages fix multiple vulnerabilities

Reported:

Feb 12, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page