Information disclosure caused by SNMP weak password

0x00 SNMP Protocol Introduction

The SNMP protocol is the Simple Network Management Protocol (Snmp,simple Networks Management Protocol). There are currently 3 versions: V1,v2c,v3. V3 is the latest version and has been greatly improved in its safety design. However, there are many V1 and V2C versions that are widely used, and the content discussed in this article is based on these two versions.

Learn more about the contents of the SNMP protocol can be found in Wikipedia

As the name implies, SNMP is used for network management. Monitoring tools such as cacti and MRTG are based on the SNMP protocol. The principle of SNMP protocol simply means that the management host sends a request to the managed host or device that contains a community and an OID. An OID is a code name that represents the information that the management host wants to request. For example, the CPU usage of the OID may be 112, the memory utilization of the OID may be 113. This OID is a contract. When the managed host receives this request, it first looks at whether the requested community is consistent with its own save, and if so, returns the CPU usage to the 112 representative or 113 of the memory usage to the management host. If they are not consistent, no information will be returned. So community quite with a certified password. It is necessary to mention that both the V1 and V2C versions of the SNMP protocol are transmitted in plaintext, so the community can be obtained by capturing packet sniffing and other means to obtain authentication.

Management host through the SNMP protocol in addition to obtain the information of the managed host, you can also modify the managed host configuration information (usually routers and other devices).

The application of SNMP mentioned above can summarize the security problems caused by SNMP weak password or password leakage: One is information leakage, the other is the configuration of the device may be modified to be controlled by others. This article discusses the first case.

0X01 General Information Disclosure

Take a look at a few examples of dark clouds and warm up:

Youku background Access not set permissions +snmp weak password

Mushroom Street SNMP Weak password one

CactiEZ Chinese Version SNMP default community name

Kingsoft SNMP Weak password

Since everyone is saying that SNMP causes information leaks, the server may be compromised. Let's see if SNMP can leak that information. Here are some of the node OIDs I've summarized that leak sensitive information (using the Snmpwalk directive to get information). Welcome to Add.

系统信息 1.3.6.1.2.1.1

Examples:

SNMPv2-MIB::sysDescr.0 = STRING: Linux xxoo.zwt.qihoo.net 2.6.18-164.el5xen #1 SMP Thu Sep 3 04:03:03 EDT 2009 x86_64SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1876050197) 217 days, 3:15:01.97SNMPv2-MIB::sysContact.0 = STRING: Root <[email protected]> (configure /etc/snmp/snmp.local.conf)SNMPv2-MIB::sysName.0 = STRING: xxoo.zwt.qihoo.netSNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

Obviously, this SYSDESCR is the system description information, here we see this machine's domain name is likely to be xxoo.zwt.qihoo.net, the kernel version is 2.6.18-164.el5xen, the system is 64-bit. Sysuptimeinstance is the system running time. Syscontact here shows the administrator's contact, this example is not configured by the administrator.

系统进程列表 1.3.6.1.2.1.25.4.2.1.2

Examples:

HOST-RESOURCES-MIB::hrSWRunName.11855 = STRING: "httpd"HOST-RESOURCES-MIB::hrSWRunName.12579 = STRING: "vsftpd"HOST-RESOURCES-MIB::hrSWRunName.14653 = STRING: "xinetd"HOST-RESOURCES-MIB::hrSWRunName.32561 = STRING: "sshd"

Here omit N more. From the list of processes we can tell which services are open on the server and what interesting processes are running. For example this can be seen, it is open ssh.

系统安装软件列表 1.3.6.1.2.1.25.6.3.1.2

Examples:

HOST-RESOURCES-MIB::hrSWInstalledName.595 = STRING: "xorg-x11-xfs-1.0.2-4"HOST-RESOURCES-MIB::hrSWInstalledName.598 = STRING: "openssh-server-4.3p2-36.el5"HOST-RESOURCES-MIB::hrSWInstalledName.140 = STRING: "NetworkManager-glib-0.7.0-9.el5"HOST-RESOURCES-MIB::hrSWInstalledName.141 = STRING: "gnome-mount-0.5-3.el5"HOST-RESOURCES-MIB::hrSWInstalledName.143 = STRING: "MySQL-devel-community-5.0.81-0.rhel5"

also omit n more. A lot of information can be obtained if you have the patience to analyze it slowly. For example here I can see that SSH is 4.3P2 version, this version seems to be flawed. And there's MySQL, 5.0.

网口的数量，类型，物理地址和流量信息等 1.3.6.1.2.1.2

Examples:

IF-MIB::ifNumber.0 = INTEGER: 3IF-MIB::ifIndex.1 = INTEGER: 1IF-MIB::ifIndex.2 = INTEGER: 2IF-MIB::ifIndex.3 = INTEGER: 3IF-MIB::ifDescr.1 = STRING: loIF-MIB::ifDescr.2 = STRING: eth0IF-MIB::ifDescr.3 = STRING: sit0IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)IF-MIB::ifType.3 = INTEGER: tunnel(131)IF-MIB::ifPhysAddress.1 = STRING: IF-MIB::ifPhysAddress.2 = STRING: aa:0:0:dc:5f:58IF-MIB::ifPhysAddress.3 = STRING: IF-MIB::ifInOctets.1 = Counter32: 19030140IF-MIB::ifInOctets.2 = Counter32: 4072910622IF-MIB::ifInOctets.3 = Counter32: 0IF-MIB::ifOutOctets.1 = Counter32: 19030140IF-MIB::ifOutOctets.2 = Counter32: 2001152942IF-MIB::ifOutOctets.3 = Counter32: 0

The cacti system is to monitor traffic by acquiring these data. Ifnumber is the number of network ports, Iftype is the network port type, ifphysaddress is the MAC address, Ifinoctets is the total flow of traffic, ifoutoctets is the total flow outflow. Wait a minute.

IP-MAC地址转换表 1.3.6.1.2.1.3.1

Examples:

RFC1213-MIB::atIfIndex.2.1.x.x.o.o = INTEGER: 2RFC1213-MIB::atPhysAddress.2.1.x.x.o.o = Hex-STRING: 28 C0 DA 05 20 00 RFC1213-MIB::atNetAddress.2.1.x.x.o.o = Network Address: DC:B5:37:81

My understanding should be the same as executing the output of the ARP-A command.

网口的ip地址和子网掩码 1.3.6.1.2.1.4.20

Examples:

IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1IP-MIB::ipAdEntAddr.x.x.o.o = IpAddress: x.x.o.oIP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1IP-MIB::ipAdEntIfIndex.x.x.o.o = INTEGER: 2IP-MIB::ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0IP-MIB::ipAdEntNetMask.x.x.o.o = IpAddress: 255.255.255.128IP-MIB::ipAdEntBcastAddr.127.0.0.1 = INTEGER: 0IP-MIB::ipAdEntBcastAddr.x.x.o.o = INTEGER: 1路由表 1.3.6.1.2.1.4.21 鉴于打码太复杂，就不提供样例，可自己测试。tcp connection table  1.3.6.1.2.1.6.13 相当与netstat -t 命令开放的udp端口 1.3.6.1.2.1.7.5

Also on the internet there are two OIDs that are reproduced in many articles:

1.3.6.1.4.77.1.2.25.1.1 //**用户列表1.3.6.1.4.77.1.4.1.0 //**域名

These two OIDs are present. However, several machines were tested without returning any information. If you have more accurate test results welcome feedback.

0x02, can you give me more power?

After reading the various OIDs above, you must have known that with the SNMP community, from the system kernel to the MAC address, the routing table, to the TCP connection are all the light we see. But is that the only degree? We have so much information, so much information, but SNMP is still unable to control the device. What a sad thing it is.

If SNMP is not only able to read the system up time, it would be nice if an OID could read/etc/passwd even read the/etc/shadow. Although this is only yy at this time, a similar vulnerability will be introduced below. That's

cve-2012-3268

First look at the dark cloud case:

China Mobile H3C Firewall side leakage, using SNMP to obtain the administrator password, successfully log on to the device!

China Mobile group Three layer Exchange SNMP vulnerability, can get admin account password, successfully signed in

See no, the user name and password stored in the device are read by a specific OID and can be successfully logged in.

The ins and outs of this CVE can be found in the articles published by Kurt Grutzmacher.

At the same time Kurt Grutzmacher also provides

Nmap and MSF scan for plug-ins for this vulnerability and tools to hack encrypted passwords

To make a long story short, this is essentially still an information leak caused by SNMP, except that it is too sexy to read the user name and password required for login with a read-only community. There are three OIDs known to be able to get an account:

1.3.6.1.4.1.2011.5.2.1.10.11.3.6.1.4.1.2011.10.2.12.1.1.11.3.6.1.4.1.25506.2.12.1.1.1

For a device that has this vulnerability, you only need to walk the above 3 OIDs. Although the vendor has released patches to fix the vulnerability. But because of some of the reasons you know, there are still many, many, many more devices with this loophole. So: Please do not use the information provided in this article for illegal purposes, the consequences.

Need to say that the release of the vulnerability of Kurt Grutzmacher in the article and scan plug-ins only mentioned in the back of the two OID, the first OID is my analysis of @s3cur1ty submitted in the dark clouds of the loopholes. Thank @s3cur1ty.

Original

Information disclosure caused by SNMP weak password