Days ago, there was a discussion about world-readable snmp communities, some people thought it was bad enough. Amazingly, I've found that a lot of network devices (such as intelligent switches, WAN/LAN routers, ISDN/DSL modems, remote access machines and even some user-end operating systems) are by default configured with snmp enabled and unlimited access with *write* privledges. It allows attacker to modify routing tables, status of network interfaces and other vital system data, and seems to be extermely dangerous. To make things even worse, some devices seems to tell that write permission for given community is disabled, but you can still successfully write to it - and other devices won't let you to set up snmp access at all (eg. some modems and switches). Here's brief list of devices I've found with world-writable communities - and names of these communities, respectively: - 3com Switch 3300 (3Com SuperStack II) - private - Cray MatchBox router (MR-1110 MatchBox Router/FR 2.01) - private - 3com RAS (HiPer Access Router Card) - public - Prestige 128 / 128 Plus - public - COLTSOHO 2.00.21 - private - PRT BRI ISDN router - public - CrossCom XL 2 - private - WaiLAN Agate 700/800 - public - HPJ3245A HP Switch 800T - public - ES-2810 FORE ES-2810, Version 2.20 - public - Windows NT Version 4.0 - public - Windows 98 (not 95) - public - Sun/SPARC Ultra 10 (Ultra-5_10) - private This list is for sure uncomplete, and might be inaccurate - it has been created after extensive, but only remote tests on devices outside my network (usually, these machines are inside ISP networks). On following devices, some parameters can be changed, but some can't - so it seems to be less dangerous: - HP LaserJet (EEPROM G.08.03) - public - PICO router - public - Xyplex Router 6.1.1 - private Best solutions: - try to disable unlimited snmp access, if possible, then check if it really worked, - ask vendor for firmware upgrade, - do not route traffic addressed to snmp-enabled devices from outside. Other systems: Cisco and Motorola routers, Netware, most Unix boxes are not vulnerable. Exploit code: $ snmpset hostname {private|public} interfaces.ifTable.ifEntry.ifAdminStatus.1 i 2 ...should bring 1st network interface on remote machine down... for more interesting options to be set, execute: $ snmpwalk hostname {private|public} _______________________________________________________ Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM] [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl] [+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=