From seclabs@NAI.COM Wed Nov 18 12:02:43 1998
From: Security Research Labs <seclabs@NAI.COM>
To: BUGTRAQ@netspace.org
Date: Tue, 17 Nov 1998 12:45:35 -0800
Subject: NAI-30: Windows NT SNMP Vulnerabilities

    [The following text is in the "iso-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=======================================================================

                        Network Associates, Inc.
                          SECURITY ADVISORY #30
                            November 17, 1998

                  Windows NT SNMP Security Permissions

=======================================================================

SYNOPSIS

This advisory addresses a vulnerability in the common configuration of
the Windows NT SNMP Service.  This vulnerability allows individuals to
remotely configure network parameters that are critical to the security
and proper operation of the system.


=======================================================================

DETAILS

The SNMP Service implements the Simple Network Management Protocol in
Windows NT.  This service allows for the remote management of the
network components of Windows NT.  The SNMP Service is installed
through the Network control panel by selecting the Services panel,
clicking the Add button and then selecting the SNMP Service.  It is
not installed as part of the normal Windows NT installation process.

When the SNMP Service is installed, the default configuration that is
provided leaves the system vulnerable to attack.  In the default
configuration the SNMP service answers to a single SNMP community
``public'', which is given read-write permissions.  The community
is a name that is used much like an account name or a password to
restrict who can access the SNMP functions and in what capacity.
SNMP provides two levels of access, read-only and read-write.  The
Windows NT SNMP Service prior to Service Pack 4 does not allow
communities to be configured as read-only, so all SNMP communities
have the ability to write.

If the SNMP Service is reconfigured with a more secure community name,
the system is still vulnerable to attack from users with an account on
the system.  The SNMP Service parameters are stored in the registry
and are readable by all users.  A user with an account on the system
can read the list of configured community names and use the community
name to access the SNMP Service.  With write access to the SNMP
community, a user can perform actions that are usually restricted to
users with privileged access.

In addition to restricting access to a list of community names, the
Windows NT SNMP Service has an option to restrict access to a list
of IP addresses.  Although this may seem to provide a way to limit
exposure to attacks from unknown systems, it is not very effective.
The SNMP protocol uses UDP packets to exchange commands and their
replies.  Because the UDP protocol is connectionless, forging the
source address of command packets is trivial.  SNMP ``set'' operations
can be sent with any source address since the reply is not needed.
Restricting the set of addresses that can communicate to the SNMP
service is not effective at preventing malicious ``set'' operations
if the attacker knows which addresses are allowed to communicate with
the SNMP service.  Like the community name, the list of addresses that
can communicate with SNMP is stored in the community and accessible
to users with an account on the system.


=======================================================================

AFFECTED SYSTEMS

All versions of Windows NT where the administrator has enabled the SNMP
service and not reconfigured the security parameters are vulnerable to
attack from users that can reach the system over the network.

All versions of Windows NT where the administrator has enabled the SNMP
Service are vulnerable to attack from users with accounts on the system.
These systems are vulnerable to attack from remote users if the
administrator has not removed the ``public'' community from the SNMP
Service configuration and replaced it with a hard-to-guess name.


=======================================================================

IMPACT

Remote individuals with network access to a machine running the Windows
NT SNMP Service can query and set any of the system management
variables that are supported.  Information that can be queried includes:

 - the LAN Manager domain name
 - a list of users
 - a list of shares
 - a list of running services
 - a list of active TCP connections
 - a list of active UDP connections
 - a list of network interfaces and their associated IP and
   hardware addresses
 - the IP routing table and the ARP table as well as a number of
   networking performance statistics.

By setting variables, an attacker can modify the IP routing table
and the ARP table.  An attacker can also bring interfaces up and down
and set critical networking parameters such as the default IP
time-to-live (TTL) and IP forwarding.  These settings allow an attacker
to redirect network traffic, impersonate other machines or deny the
machine access to the network.

The ability to modify the routing table, and enable IP forwarding on
an NT host is especially dangerous if the host is a firewall with
SNMP enabled.


=======================================================================

RESOLUTION

Service Pack 4 (SP4) provides a solution to this problem by adding
access control and allowing communities to be configured READ ONLY,
READ WRITE or READE CREATE.  By default, when Service Pack 4 is
installed, the permissions will be set to READ CREATE, which still
allows modification of SNMP entries, and therefore does not close
this vulnerability.  Ensure that the communities are configured READ
ONLY to prevent modification of SNMP entries.

To configure the SNMP service go to:

   "Control Panel" -> "Network" -> "Services" -> "SNMP Service"

- From this window, select the "Security" tab.  Once within the
security tab, the security settings of each community name can be
configured.  It is recommended that each community name be configured
READ ONLY unless otherwise required.

The permissions on the SNMP registry key allow "Everyone" access
by default.  This access allows any system user to obtain the
community names utilized by the SNMP service.  The permissions
on this registry key should also be set more strictly by the
Administrator.  Ensure that only Administrator and other authorized
users can access the contents of the following registry key:

Hive : HKEY_LOCAL_MACHINE
Key  : System\CurrentControlSet\Services\SNMP\Parameters

On NT 5.0, the permissions on this key will be set securely by
default.

Ensure that the community name is changed from the default "public"
community name to a more obscure name.

Block SNMP access at your firewall or border router.  SNMP utilizes
UDP port 161.


=======================================================================

CREDITS

Documentation and testing of this problem was conducted by Tim Newsham
and Jeremy Rauch at the security labs of Network Associates.


=======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most
important research in computer security today. With over 29 published
security advisories published in the last 2 years, the Network
Associates security auditing teams have been responsible for the
discovery of many of the Internet's most serious security flaws. This
advisory represents our ongoing commitment to provide critical
information to the security community.

For more information about the Security Labs at Network Associates,
see our website at http://www.nai.com or contact us at
<seclabs@nai.com>.

The Security Labs at Network Associates are a participating member
of FIRST, the Forum for Incident Response Teams. For more information
about FIRST, see http://www.first.org.


=======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

- -----BEGIN PGP PUBLIC KEY BLOCK-----

Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0

iQA/AwUBNlFSeKF4LLqP1YESEQJz2wCfa/RZiCMpQxd/cT8moR4m3GnzGzIAoMPU
ybY9nPnqVfjX5Wxv2rf/yrx0
=3ksc
-----END PGP SIGNATURE-----