共产主义 英文:PROTOS Test-Suite: c06-snmpv1 (SNMP 测试)

PROTOS Test-Suite: c06-snmpv1

Permission is hereby granted for quoting, reprinting and redistributing this document, provided that a link to this document is given, and all changes made are clearly separated from the original text.

ABSTRACT

• The Simple Network Management Protocol (SNMP) enables monitoring and configuration of network nodes. The venerable SNMP is almost omni-present amongst a wide variety networked devices ranging from Internet gateways to information appliances. The SNMP version one (SNMPv1) was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. A survey of the related standards was made. Test-material was prepared and tests were carried out against a sample set of existing implementations. Results were gathered and reported. Many of the implementations available for evaluation failed to perform in a robust manner under test. Some failures had information security implications, and should be considered as vulnerabilities. In order to achieve a robustness baseline for SNMPv1 products this test-material should be adopted for their evaluation and development.

Introduction

• This test-suite is a byproduct of the "PROTOS - Security Testing of Protocol Implementations" project. Important: Background, goals, limitations, terminology and licensing for this test-suite release are explained in the "Test-suite releases in Theory and Practice" document.

• This test-suite covers a limited set of information security and robustness related implementation errors for a subset of the chosen protocol. The subject protocol and the chosen subset of it are illustrated in the Analysis section below.

Analysis

• "SNMP is a communication protocol that has gained widespread acceptance since 1993 as a method of managing TCP/IP works, including individual network devices, and devices in aggregate. SNMP was developed by the IETF (Internet Engineering Task Force), and is applicable to any TCP/IP network, as well as other types of networks." - Open Directory Project [1]

• "The Internet Activities Board recommends that all IP and TCP implementations be network manageable." - RFC1157 [2]

• The purpose of this test-suite is to evaluate implementation level security and robustness of Simple Network Management Protocol (SNMP) implementations. The factors behind choosing SNMP included:
  • SNMP is widely adopted for managing IP networks, including individual network devices, and devices in aggregate. In other words - there are plenty of different implementations and a myriad of installations. Moreover, even if the SNMP is not in active use inside a network, it may be lying dormant on individual devices by virtue of being included in default configurations.
  • A SNMP manageable devices may be critical for the network infrastructure. Even a denial-of-service attack against such of a device may have serious implications. Therefore locating and fixing common implementation errors should be encouraged.
  • Robustness problems in decoding exceptional BER encoding may lead to situation where application level authentication based access control is ineffective since errors may reside in code that will be involved in parsing the packets before authentication takes place.
  • Since SNMP has been around for a relatively long time implementations should have had time to mature, making them more robust against implementation type errors. Evaluating such mature products should provide us useful feedback on the current state of implementation level robustness in general.

• In this test-suite, the focus was set on the certain protocol data units (PDUs), namely requests (GetRequest, GetNextRequest and SetRequest) and traps. The protocol version one (SNMPv1) was chosen. Rationale behind these selections:

  • SNMP agents and trap-aware SNMP managers are by design ready to accept incoming requests and traps without prior session setup. These expose a natural attack vector that should be scrutinized with top priority.
  • All SNMP implementations must support SNMPv1. Moreover, newer versions of the protocol (SNMPv2[p,c,u] and SNMPv3) should be considered as protocols of their own due to the changes in the management paradigm.
  • SNMPv1 has a less complicated structure in comparison to the newer versions. This enables us to concentrate on other things than the protocol specification. Thus, we could expect a test-suite of good quality and coverage.
  • Although SNMPv1 is a venerable protocol, it has no popular and public syntax testing material aimed against robustness problems.
  • Due the widespread nature of SNMPv1, there are plenty of implementations by several vendors available for testing, including equipment that are a critical part of the core Internet infrastructure.

• In order to understand the typical deployment scenarios of SNMPv1, some guidelines for securing specific SNMP implementations were reviewed (see Appendix A). Typical recommendations are summarized below in no particular order:

  • A. Choose non-default community names.
  • B. Apply perimeter filtering to SNMP traffic.
  • C. Apply SNMP device based network access control to filter the traffic.
  • D. Isolate SNMP into a separate management VLAN.
  • E. Disable the SNMP functionality if it is not needed.
• Assuming recommendation (A) to be the most widely adopted measure, the impact of new potential SNMPv1 vulnerabilities can be roughly categorised based on the dependency on the need-to-know the chosen community names (the authentication scheme). A vulnerability can occur:
  • 1. independently of the community name (greatest impact)
  • 2. with a known read-only community name
  • 3. with a known read-write community name (smallest impact)
• The second category was chosen as the initial test-strategy. If a vulnerability is discovered by using a known read-only community name, then it will be verified in context where a correct community name is unknown. Many SNMPv1 implementations appear to use default community names that are well-known, such as 'public'. This fact increases the impact of vulnerabilities in the last two categories.
• A survey of pre-existing test-suites was made (see Appendix B]). None of the identified test-suites were found to be robustness related, and thus do not contribute in this context.

Design

Standard Survey

• The available standards specifying the selected protocol have to be studied, and analysed. The relevant protocol specifications are listed in the table below.

• Only the relevant SNMP specifications are listed. Several specifications regarding newer SNMP versions and extensions are left out but are available from IETF. [3] SNMPv1 Standard survey

  Name

  Document Date

  Organization

  Status

  Link

  Description

  RFC1155

  1990-05

  IETF

  RFC

  (link)

  Structure and Identification of Management Information for TCP/IP-based Internets

  RFC1156

  1990-05

  IETF

  RFC

  (link)

  Management Information Base for Network Management of TCP/IP-based internet

  RFC1157

  1990-05

  IETF

  RFC

  (link)

  Simple Network Management Protocol (SNMP)

  RFC1215

  1991-03

  IETF

  RFC

  (link)

  A Convention for Defining Traps for use with the SNMP

  RFC1270

  1991-11

  IETF

  RFC

  (link)

  SNMP Communications Services

  RFC1352

  1992-07

  IETF

  RFC

  (link)

  SNMP Security Protocols

  RFC2570

  1999-04

  IETF

  RFC

  (link)

  Introduction to SNMPv3 framework - overall roadmap

• For further study, a selection of practical material on SNMPv1 and related issues is given below:

  • comp.protocols.snmp SNMP FAQ [4]

  • TCP/IP Illustrated, Volume 1 by Stevens [5]

  • ASN.1 Complete by Prof. Larmouth [6]

Subject Survey

• A survey of available implementations is conducted. This should include a diverse selection of implementations in order to gain a better insight into the applications implementing the protocol, and to give a hint of the impact of the potential vulnerabilities. Typically, not all implementations are available for testing, and thus cannot be tested by the project personnel within this test-suite prerelease phase.

• No sample list of implementations is presented herein. A large number of vendors include SNMPv1 support in their products for either manager or agent functionality. A list of vendors with SNMPv1 enabled products may include at least 3Com, Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco, Compaq, Computer Associates, D-Link, Dell, Digi, Ericsson, Extreme networks, F5, Foundry, Fujitsu Siemens, HP, Hitachi, IBM, ICL, Intel, Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore, Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel, Novell, SMC, Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, Windriver, Xerox, Xylan, Zyxel and many others.

• Myriad of products with built-in SNMPv1 support include different models of:
  • managed network building blocks: bridges, hubs, routers, switches, media converters, UPSes, WLAN access points
  • managed network access equipment: cable modems, xDSL equipment, remote access servers
  • security products: firewalls, anti-virus frameworks, network analyzers
  • networked printers/copiers, networked cameras, networked image-scanners
  • managed software components: databases, backup software
  • network management frameworks
  • operating systems
  • networked instruments: oscilloscopes, medical imaging units
  • industrial automation equipment: manufacturing, processing ...
• Some specific SNMP implementations and related information may be found from the following resources:

  • The Simpleweb [7]

  • SNMPLink [8]

  • SNMPWorld [9]

  • comp.protocols.snmp SNMP FAQ [4]

• A subset of the implementations was chosen as a sample set to be tested during the test-suite creation and pre-release phases. Most likely reasons for omission of a specific product from the sample set include:
  • no evaluation copy of product was available
  • or evaluation copy had a restrictive licence prohibiting evaluation
  • or we were not aware of the product

Injection Vector Survey

• The injection vector survey, or delivery vector survey, analyses the different methods of delivering the test-cases to the implementations under test (IUT). Often, there are several methods of injection and one test-suite cannot cover them all, or might miss some vectors not available in all implementations.
• Injection vector survey

  Application protocol

  Transport protocol

  Packet

  SNMPv1 Requests

  UDP (port 161)

  GetRequest/GetNextRequest/SetRequest PDUs to an agent

  SNMPv1 Responses

  UDP

  Responses for Request PDUs

  SNMPv1 Traps

  UDP (port 162)

  Trap-PDUs to a manager (trap listener)

• The core specification(s) of the SNMPv1 protocol indicate that UDP over IP is used to transfer SNMPv1 protocol data units (PDU) although the mechanisms of the SNMP are generally suitable for use with a wide variety of transport services. For example RFC1089, RFC1161 and RFC1298 describe the means of transferring SNMPv1 messages over protocols other than UDP over IP. However the UDP over IP is the most used scheme. Hence, the selected UDP delivery vector should provide successful injection of test-cases to all chosen implementations.

About SNMP Architecture

• The SNMP architecture is illustrated in the figure below. The figure identifies two major roles (Manager and Agent) and two communication channels (UDP port 161 and UDP port 162).

• 

• Figure: Simplified SNMP architecture
• SNMP managers can be anything from monolithic GUI based management frameworks to individual console applications that communicate over network using SNMPv1 protocol. There are also specific trap listeners for logging and dispatching incoming trap event messages.
• SNMP agents can either work alone or with sub-agents. When sub-agents are present, the agent that listens for SNMPv1 requests from managers is called a master agent. The master agent forwards a received request to corresponding sub-agents. This communication may be done using a special sub-agent protocol. If the sub-agent does not respond directly to the requester, then the master agent may be involved in converting the response into SNMPv1 and delivering it to the manager. The master agent may be completely transparent to the manager.

• "A master agent provides access to SNMP variables that may be provided by one or more subagents. The master agent usually uses a subagent protocol (AgentX, DPI, SMUX, EMANATE, ...) to interact with the subagents. One of the key features of such an extensible agent is that it is complete transparent to the manager." - SNMP FAQ [4]

• A SNMP proxy agent is an element capable of acting as gateway to the other management agents. Proxies could be used to map different management protocols and to pass through an application level firewall.

• "The current definition of a proxy SNMP agent is an agent which acts like a gateway to other SNMP agents. This can be useful in order to pass firewalls or to map SNMP protocol versions. Such a proxy is however not transparent to the manager since the manager usually has to select special parameters to address the target agent through the proxy." - SNMP FAQ [4]

Specifications Design

• Protocol data unit specifications are used as a basis for generating the test-cases. Starting point for the design of the test-suite is to acquire or create a machine-readable representation of the protocol specification. The test-tool developed in this project uses a custom dialect of BNF (Backus-Naur Form). The BNF is capable of describing context-free syntax of a specification, but is not usually enough for the PDU generation. The specification is completed by semantic rules which semantically extend the BNF and communication rules which provide communication channels with external components. Rules are implemented in Java.
• In this test-suite, a BNF presentation of SNMPv1 packet types was needed. Since SNMPv1 specification uses ASN.1 notation, the relevant ASN.1 specifications were manually converted into BNF.

Design of Exceptional Elements

• An exceptional element is a piece of data designed to provoke undesired behavior of the subject implementation. A single test-case contains one or more exceptional elements. An exceptional element can be illegal according to protocol specification, but often it is legal or in the hazy region between legal and illegal constructs. In a nutshell, an exceptional element is an input that might not have been considered properly when implementing the software.
• ASN.1 Basic Encoding Rules (BER) are used along the SNMPv1 specification to resolve the actual representation of the PDUs. Namely constructed types, field lengths, integers, strings and object identifiers are encoded using BER.
• The application logic of a SNMPv1 agent receives data objects from a BER decoder, acts according the requests, and replies to the manager though a BER encoder. A SNMPv1 manager sends requests and listens for replies and trap messages. One might suppose that the use of ASN.1/BER protects the application logic from malformed input. However, any exceptional input which is correctly encoded will pass to the application logic.

Exceptional Element Categories

• The following table lists the categories of the exceptional elements designed for the test-material: Exceptional element categories

  Name

  Description

  E-01

  Invalid BER length (L) fields. The first part of this group contains valid encodings of exceptional values, while the other part contains invalid length of length BER encodings

  E-02

  Exceptional elements for Class tags: Universal, Application, Context-specific, Private

  E-04

  Exceptional elements for BER's T fields number field

  E-05

  Mostly invalid encodings for BER NULL type

  E-06

  Mostly invalid encodings for BER BOOLEAN type

  E-07

  Mostly invalid encodings for BER INTEGER type

  E-08

  Mostly invalid encodings for BER OCTETSTRING type

  E-09

  Mostly invalid encodings for BER BITSTRING type

  E-10

  Mostly invalid encodings for BER SEQUENCE-OF type

  E-11

  Mostly invalid encodings for BER SET-OF type

  E-12

  Mostly invalid encodings for BER OBJECT-IDENTIFIER type

  E-13

  Mostly invalid encodings for BER REAL type

  E-14

  Mostly invalid encodings for BER ENUMERATED type

  E-15

  Total garbage with semi correct BER encodings

  E-16

  BER elements of PDU totally removed one at a time

  E-17

  Invalid extra data inserted in different parts of the PDU

  I-01

  Overflows with multiple zeroes and integer coded format strings

  I-02

  Overflow integers: various very big integers from (+/-)1 to magnitudes (+/-)2^256 and above

  I-03

  Large boundaric integer values (ie. (2^{32)+-1, (2}64)+-1,...)

  I-04

  SetRequest(3) and Trap(4) PDU types in SNMP messages are replaced with big integers (ie. (2^{32)+3, (2}56)+3, (2^64)+3,...)

  B-01

  Legal values (0x01 - 0x05) for ErrorStatus defined in RFC1157

  O-01

  General overflow strings consisting of for example from long strings of character 'a'

  O-02

  Long exceptional strings applied after community name public as VLAN name (ie. public@vlan0). Strings include multiples of 'a', "%s", '0', etc.

  O-03

  Overflows with null terminator (0x00) inserted at their beginning

  O-04

  Overflows with null terminator (0x00) inserted in their midst

  F-01

  Format strings of type "%s", "%s%n%x", "%.999d", "*.*d" and their variants

  F-02

  Community-specific format strings applied with community name public, ie. "public%s"

  O-05

  Object-identifier exceptional elements. Very long OIDs, OIDs with extremely big (ie. negative) branches

  O-06

  Object identifiers for sys.sysDescr, sys.sysName, if.ifNumber if.ifIndex with no, or invalid indexes

  O-07

  multiple (empty) VarBind entries. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types

  O-08

  multiple VarBind entries with short format string ("%s%s%s") as value. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types.

  M-01

  Zero length (null) data applied as a value of every BER element of PDU

  Legend:
  • B: Bit pattern exceptions
  • E: BER encoding exceptions
  • F: Format string exceptions
  • I: Integer value exceptions
  • M: Missing symbol exceptions
  • O: Overflow exceptions
• In "Encoding Exceptions" (letter E), exceptional ASN.1/BER elements are exercised. The purpose is to test the robustness of the BER decoder of the tested SNMPv1 implementation.
• In "Application Exceptions" (other letters), correctly formatted ASN.1/BER elements contain exceptional data objects. The purpose is to test the robustness of the application logic of the SNMPv1 implementation.

Design of Test-Material

• The tests are divided into four separate test-material packages. Each test-material package consists of a certain amount of test-cases. The test-cases are organized into test-groups so that similar kind of cases reside in a same group. Details for each package are presented below.

Req-App

• 10601 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with application exceptions Test-groups in req-app

  Name

  Category

  First index #

  Test-cases

  zero-case-get-req

  valid

  0

  1

  zero-case-get-next-req

  valid

  1

  1

  zero-case-set-req

  valid

  2

  1

  get-req-version-integer

  I-01, I-02, I-03

  3

  374

  get-req-requestid-integer

  I-01, I-02, I-03

  377

  374

  get-req-errorstatus-integer

  I-01, I-02, I-03

  751

  374

  get-req-errorindex-integer-big

  B-01, I-01, I-02

  1125

  303

  get-req-errorindex-integer-boundary

  B-01, I-03

  1428

  355

  get-req-communityname-overflow

  O-01

  1783

  111

  get-req-communityname-overflow-fmtstring

  F-01, F-02

  1894

  82

  get-req-communityname-overflow-extra-null

  O-03, O-04

  1976

  109

  get-req-communityname-vlan-overflow

  O-02

  2085

  244

  get-req-varb-objectname-oid

  O-05

  2329

  64

  get-req-varb-objectname-oid-with-fmtstring

  O-05, F-01

  2393

  64

  get-req-varb-objectname-oid-invalid-index

  O-06

  2457

  88

  get-req-varb-sysname-string-overflow

  O-01

  2545

  111

  get-req-varb-sysname-string-overflow-fmtstring

  F-01

  2656

  36

  get-req-varb-sysname-string-overflow-extra-null

  O-03, O-04

  2692

  109

  get-req-varb-sysname-object-oid

  O-05

  2801

  64

  get-req-varb-sysname-number-integer

  I-01, I-02, I-03

  2865

  374

  get-req-varb-sysname-address-integer-small

  I-01

  3239

  33

  get-req-varb-sysname-counter-integer

  I-01, I-02, I-03

  3272

  374

  get-req-varb-sysname-gauge-integer

  I-01, I-02, I-03

  3646

  374

  get-req-varb-sysname-timeticks-integer

  I-01, I-02, I-03

  4020

  374

  get-req-varb-sysname-opaque-integer

  I-01, I-02, I-03

  4394

  374

  get-req-varb-multiple

  O-07, O-08

  4768

  34

  get-req-missing-data

  M-01

  4802

  15

  getn-req-errorstatus-integer

  I-01, I-02, I-03

  4817

  374

  getn-req-errorindex-integer-big

  B-01, I-01, I-02

  5191

  303

  getn-req-errorindex-integer-boundary

  B-01, I-03

  5494

  355

  getn-req-varb-objectname-oid

  O-05

  5849

  64

  getn-req-varb-objectname-oid-with-fmtstring

  O-05, F-01

  5913

  64

  getn-req-varb-objectname-oid-invalid-index

  O-06

  5977

  88

  getn-req-varb-multiple

  O-07, O-08

  6065

  34

  getn-req-missing-data

  M-01

  6099

  15

  set-req-errorstatus-integer

  I-01, I-02, I-03

  6114

  374

  set-req-errorindex-integer-big

  B-01, I-01, I-02

  6488

  303

  set-req-errorindex-integer-boundary

  B-01, I-03

  6791

  355

  set-req-communityname-overflow

  O-01

  7146

  111

  set-req-communityname-overflow-fmtstring

  F-01, F-02

  7257

  82

  set-req-communityname-overflow-extra-null

  O-03, O-04

  7339

  109

  set-req-communityname-vlan-overflow

  O-02

  7448

  244

  set-req-varb-objectname-oid

  O-05

  7692

  128

  set-req-varb-objectname-oid-with-fmtstring

  O-05, F-01

  7820

  64

  set-req-varb-objectname-oid-invalid-index

  O-06

  7884

  176

  set-req-varb-sysdescr-string-overflow

  O-01

  8060

  111

  set-req-varb-sysdescr-string-overflow-fmtstring

  F-01

  8171

  36

  set-req-varb-sysdescr-string-overflow-extra-nul

  O-03, O-04

  8207

  109

  set-req-varb-sysname-string-overflow

  O-01

  8316

  111

  set-req-varb-sysname-string-overflow-fmtstring

  F-01

  8427

  36

  set-req-varb-sysname-string-overflow-extra-null

  O-03, O-04

  8463

  109

  set-req-varb-sysname-object-oid

  O-05

  8572

  64

  set-req-varb-sysname-number-integer

  I-01, I-02, I-03

  8636

  374

  set-req-varb-sysname-address-integer-small

  I-01

  9010

  33

  set-req-varb-sysname-counter-integer

  I-01, I-02, I-03

  9043

  374

  set-req-varb-sysname-gauge-integer

  I-01, I-02, I-03

  9417

  374

  set-req-varb-sysname-timeticks-integer

  I-01, I-02, I-03

  9791

  374

  set-req-varb-sysname-opaque-integer

  I-01, I-02, I-03

  10165

  374

  set-req-varb-multiple

  O-07, O-08

  10539

  34

  set-req-missing-data

  M-01

  10573

  15

  set-req-request-type-shadow

  I-04

  10588

  13

  Legend:

  • Name column presents the tag-names of the test-groups. Tags map in some extent to field names in SNMPv1 PDUs defined in RFC1157. Tags can be used to follow which parts of the PDU are being tested, and how. For example, get-req-communityname-overflow indicates that exceptional elements aiming to reveal buffer overflow vulnerabilities are inserted to the Community-field of the GetRequest-PDU.

  • Category column describes which exceptional element categories are integrated in the test-group. Ie. category O-01 in above example is deduced from this column.
  • "Test-cases" and "First index #" columns describe how many test-cases belong to the test-group, describing the first test-case number, and the number of cases from there on.

Req-Enc

• 18915 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with encoding exceptions Test-groups in req-enc

  Name

  Category

  First index #

  Test-cases

  zero-case-get-req

  valid

  0

  1

  zero-case-get-next-req

  valid

  1

  1

  zero-case-set-req

  valid

  2

  1

  get-req-ber-t-class

  E-02

  3

  76

  get-req-ber-t-number

  E-04

  79

  516

  get-req-ber-l-length

  E-01

  595

  1180

  get-req-ber-tlv-NULL

  E-05

  1775

  288

  get-req-ber-tlv-BOOLEAN

  E-06

  2063

  336

  get-req-ber-tlv-INTEGER

  E-07

  2399

  360

  get-req-ber-tlv-OCTETSTRING

  E-08

  2759

  264

  get-req-ber-tlv-BITSTRING

  E-09

  3023

  264

  get-req-ber-tlv-REAL

  E-13

  3287

  624

  get-req-ber-tlv-OBJECT-IDENTIFIER

  E-12

  3911

  456

  get-req-ber-tlv-SEQUENCE-OF

  E-10

  4367

  480

  get-req-ber-tlv-SET-OF

  E-11

  4847

  384

  get-req-ber-tlv-ENUMERATED

  E-14

  5231

  290

  get-req-ber-tlv-noise

  E-15

  5521

  790

  get-req-extra-data-inside

  E-17

  6311

  252

  get-req-extra-data-inside-varbind

  E-17

  6563

  378

  get-req-extra-data-outside

  E-17

  6941

  63

  get-req-missing-field

  E-16

  7004

  11

  getn-req-ber-t-class

  E-02

  7015

  68

  getn-req-ber-t-number

  E-04

  7083

  430

  getn-req-ber-l-length

  E-01

  7513

  1003

  getn-req-ber-tlv-NULL

  E-05

  8516

  216

  getn-req-ber-tlv-BOOLEAN

  E-06

  8732

  252

  getn-req-ber-tlv-INTEGER

  E-07

  8984

  270

  getn-req-ber-tlv-OCTETSTRING

  E-08

  9254

  192

  getn-req-ber-tlv-BITSTRING

  E-09

  9446

  198

  getn-req-ber-tlv-REAL

  E-13

  9644

  468

  getn-req-ber-tlv-OBJECT-IDENTIFIER

  E-12

  10112

  342

  getn-req-ber-tlv-SEQUENCE-OF

  E-10

  10454

  360

  getn-req-ber-tlv-SET-OF

  E-11

  10814

  288

  getn-req-ber-tlv-ENUMERATED

  E-14

  11102

  261

  getn-req-ber-tlv-noise

  E-15

  11363

  711

  getn-req-extra-data-inside

  E-17

  12074

  252

  getn-req-extra-data-inside-varbind

  E-17

  12326

  378

  getn-req-extra-data-outside

  E-17

  12704

  63

  getn-req-missing-field

  E-16

  12767

  9

  set-req-ber-t-class

  E-02

  12776

  68

  set-req-ber-t-number

  E-04

  12844

  430

  set-req-ber-l-length

  E-01

  13274

  1003

  set-req-ber-tlv-NULL

  E-05

  14277

  216

  set-req-ber-tlv-BOOLEAN

  E-06

  14493

  252

  set-req-ber-tlv-INTEGER

  E-07

  14745

  270

  set-req-ber-tlv-OCTETSTRING

  E-08

  15015

  192

  set-req-ber-tlv-BITSTRING

  E-09

  15207

  198

  set-req-ber-tlv-REAL

  E-13

  15405

  468

  set-req-ber-tlv-OBJECT-IDENTIFIER

  E-12

  15873

  342

  set-req-ber-tlv-SEQUENCE-OF

  E-10

  16215

  360

  set-req-ber-tlv-SET-OF

  E-11

  16575

  288

  set-req-ber-tlv-ENUMERATED

  E-14

  16863

  261

  set-req-ber-tlv-noise

  E-15

  17124

  711

  set-req-extra-data-inside

  E-17

  17835

  252

  set-req-extra-data-inside-varbind

  E-17

  18087

  756

  set-req-extra-data-outside

  E-17

  18843

  63

  set-req-missing-field

  E-16

  18906

  9

  Legend: [see first test-group table above]

Trap-App

• 15323 test-cases: Trap PDUs with application exceptions Test-groups in trap-app

  Name

  Category

  First index #

  Test-cases

  trap-coldstart-valid

  valid

  0

  1

  trap-warmstart-valid

  valid

  1

  1

  trap-linkdown-valid

  valid

  2

  1

  trap-linkup-valid

  valid

  3

  1

  trap-authenticationfailure-valid

  valid

  4

  1

  trap-egbneighborloss-valid

  valid

  5

  1

  trap-request-type-shadow

  I-04

  6

  13

  trap-version-integer

  I-01, I-02, I-03

  19

  284

  trap-communityname-overflow

  O-01

  303

  111

  trap-communityname-overflow-fmtstring

  F-01, F-02

  414

  82

  trap-communityname-overflow-extra-null

  O-03, O-04

  496

  79

  trap-communityname-vlan-overflow

  O-02

  575

  244

  trap-enterprise-oid

  O-05

  819

  64

  trap-enterprise-oid-invalid-index

  O-06

  883

  86

  trap-agent-addr-integer

  I-01, I-02, I-03

  969

  284

  trap-generic-trap-integer

  I-01, I-02, I-03

  1253

  284

  trap-specific-trap-integer

  I-01, I-02, I-03

  1537

  284

  trap-time-stamp-integer

  I-01, I-02, I-03

  1821

  284

  trap-start-varb-objectname-oid

  O-05

  2105

  128

  trap-start-varb-objectname-oid-invalid-index

  O-06

  2233

  172

  trap-start-varb-objectsyntax-string-overflow

  O-01

  2405

  222

  trap-start-varb-objectsyntax-string-overflow-fmtstring

  F-01

  2627

  72

  trap-start-varb-objectsyntax-string-overflow-extra-null

  O-03, O-04

  2699

  158

  trap-start-varb-objectsyntax-object-oid

  O-05

  2857

  128

  trap-start-varb-objectsyntax-number-integer

  I-01, I-02, I-03

  2985

  568

  trap-start-varb-objectsyntax-networkaddress-integer

  I-01, I-02, I-03

  3553

  568

  trap-start-varb-objectsyntax-counter-integer

  I-01, I-02, I-03

  4121

  568

  trap-start-varb-objectsyntax-gauge-integer

  I-01, I-02, I-03

  4689

  568

  trap-start-varb-objectsyntax-timeticks-integer

  I-01, I-02, I-03

  5257

  568

  trap-start-varb-objectsyntax-opaque-integer

  I-01, I-02, I-03

  5825

  568

  trap-start-varb-multiple

  O-07, O-08

  6393

  68

  trap-start-missing-data

  M-01

  6461

  32

  trap-link-varb-objectname-oid

  O-05

  6493

  128

  trap-link-varb-objectname-oid-invalid-index

  O-06

  6621

  172

  trap-link-varb-objectsyntax-string-overflow

  O-01

  6793

  224

  trap-link-varb-objectsyntax-string-overflow-fmtstring

  F-01

  7017

  72

  trap-link-varb-objectsyntax-string-overflow-extra-null

  O-03, O-04

  7089

  158

  trap-link-varb-objectsyntax-object-oid

  O-05

  7247

  128

  trap-link-varb-objectsyntax-number-integer

  I-01, I-02, I-03

  7375

  568

  trap-link-varb-objectsyntax-networkaddress-integer

  I-01, I-02, I-03

  7943

  568

  trap-link-varb-objectsyntax-counter-integer

  I-01, I-02, I-03

  8511

  568

  trap-link-varb-objectsyntax-gauge-integer

  I-01, I-02, I-03

  9079

  568

  trap-link-varb-objectsyntax-timeticks-integer

  I-01, I-02, I-03

  9647

  568

  trap-link-varb-objectsyntax-opaque-integer

  I-01, I-02, I-03

  10215

  568

  trap-link-varb-multiple

  O-07, O-08

  10783

  68

  trap-link-missing-data

  M-01

  10851

  32

  trap-authfail-varb-objectname-oid

  O-05

  10883

  64

  trap-authfail-varb-objectname-oid-invalid-index

  O-06

  10947

  86

  trap-authfail-varb-objectsyntax-string-overflow

  O-01

  11033

  112

  trap-authfail-varb-objectsyntax-string-overflow-fmtstring

  F-01

  11145

  36

  trap-authfail-varb-objectsyntax-string-overflow-extra-null

  O-03, O-04

  11181

  79

  trap-authfail-varb-objectsyntax-object-oid

  O-05

  11260

  64

  trap-authfail-varb-objectsyntax-number-integer

  I-01, I-02, I-03

  11324

  284

  trap-authfail-varb-objectsyntax-networkaddress-integer

  I-01, I-02, I-03

  11608

  284

  trap-authfail-varb-objectsyntax-counter-integer

  I-01, I-02, I-03

  11892

  284

  trap-authfail-varb-objectsyntax-gauge-integer

  I-01, I-02, I-03

  12176

  284

  trap-authfail-varb-objectsyntax-timeticks-integer

  I-01, I-02, I-03

  12460

  284

  trap-authfail-varb-objectsyntax-opaque-integer

  I-01, I-02, I-03

  12744

  284

  trap-authfail-varb-multiple

  O-07, O-08

  13028

  34

  trap-authfail-missing-data

  M-01

  13062

  16

  trap-neighloss-varb-objectname-oid

  O-05

  13078

  64

  trap-neighloss-varb-objectname-oid-invalid-index

  O-06

  13142

  86

  trap-neighloss-varb-objectsyntax-string-overflow

  O-01

  13228

  112

  trap-neighloss-varb-objectsyntax-string-overflow-fmtstring

  F-01

  13340

  36

  trap-neighloss-varb-objectsyntax-string-overflow-extra-null

  O-03, O-04

  13376

  79

  trap-neighloss-varb-objectsyntax-object-oid

  O-05

  13455

  64

  trap-neighloss-varb-objectsyntax-number-integer

  I-01, I-02, I-03

  13519

  284

  trap-neighloss-varb-objectsyntax-networkaddress-integer

  I-01, I-02, I-03

  13803

  284

  trap-neighloss-varb-objectsyntax-counter-integer

  I-01, I-02, I-03

  14087

  284

  trap-neighloss-varb-objectsyntax-gauge-integer

  I-01, I-02, I-03

  14371

  284

  trap-neighloss-varb-objectsyntax-timeticks-integer

  I-01, I-02, I-03

  14655

  284

  trap-neighloss-varb-objectsyntax-opaque-integer

  I-01, I-02, I-03

  14939

  284

  trap-neighloss-varb-multiple

  O-07, O-08

  15223

  34

  trap-neighloss-missing-data

  M-01

  15257

  16

  trap-enterprise-varb-multiple

  O-07, O-08

  15273

  34

  trap-enterprise-missing-data

  M-01

  15307

  16

• Legend: [see first test-group table above]

Trap-Enc

• 8777 test-cases: Trap PDUs with encoding exceptions
• Test-groups in trap-enc

  Name

  Category

  First index #

  Test-cases

  trap-coldstart-valid

  valid

  0

  1

  trap-warmstart-valid

  valid

  1

  1

  trap-linkdown-valid

  valid

  2

  1

  trap-linkup-valid

  valid

  3

  1

  trap-authenticationfailure-valid

  valid

  4

  1

  trap-egbneighborloss-valid

  valid

  5

  1

  trap-ber-t-class

  E-02

  6

  84

  trap-ber-t-number

  E-04

  90

  559

  trap-ber-l-length

  E-01

  649

  1298

  trap-ber-tlv-NULL

  E-05

  1947

  312

  trap-ber-tlv-BOOLEAN

  E-06

  2259

  364

  trap-ber-tlv-INTEGER

  E-07

  2623

  390

  trap-ber-tlv-OCTETSTRING

  E-08

  3013

  312

  trap-ber-tlv-BITSTRING

  E-09

  3325

  286

  trap-ber-tlv-REAL

  E-13

  3611

  676

  trap-ber-tlv-OBJECT-IDENTIFIER

  E-12

  4287

  494

  trap-ber-tlv-SEQUENCE-OF

  E-10

  4781

  520

  trap-ber-tlv-SET-OF

  E-11

  5301

  416

  trap-ber-tlv-ENUMERATED

  E-14

  5717

  348

  trap-ber-tlv-noise

  E-15

  6065

  936

  trap-extra-data-inside

  E-17

  7001

  756

  trap-extra-data-inside-varbind

  E-17

  7757

  756

  trap-extra-data-outside

  E-17

  8513

  252

  trap-missing-field

  E-16

  8765

  12

  Legend: [see first test-group table above]

Test-Material Default Values

• All test-cases have been initialized with default values listed below. One or more of the listed values are altered when exceptional elements are applied to the PDU.
• Default values used in req-app and req-enc:
  • Version: 0
  • Community: "public"

  • PDU-Type: GetRequest | GetNextRequest | SetRequest

  • RequestID: test-case index

  • ErrorStatus: 0

  • ErrorIndex: 0

  • Single VarBind:

    • ObjectName: sys.SysName (1.3.6.1.2.1.1.5.0)

    • ObjectSyntax: empty (GetRequest, GetNextRequest) | 'c06-snmpv1' (SetRequest)

• Default values used in trap-app and trap-enc:
  • Version: 0
  • Community: "public"
  • PDU-Type: Trap
  • Enterprise: unix.agents.fourBSD-isode.21 (1.3.6.1.4.1.4.1.2.21)
  • Agent-addr: 127.0.0.1

  • Generic-trap: ColdStart (0x00)

  • Specific-trap: 0x00
  • Time-stamp: test-case index

  • Single VarBind:

    • ObjectName: if.ifNumber (1.3.6.1.2.1.2.1.0)

    • ObjectSyntax: 0x21

Injection

• The test-tool provides communication rules for test-case injection. SNMPv1 PDUs can be injected using a simple UDP injector. Optionally, responses from the subject can be monitored.

Semantic Rules

• The test-tool provides semantic rules as method for augmenting the (already extended) BNF specification.
• SNMPv1 requires use of the basic encoding rules (BER) for formatting octets sent over the UDP over IP connection. BER is a simple encoding method and can be modeled with BNF except for the length fields. Semantic rules for encoding/decoding BER Integers and Object-Identifiers were developed for this test-suite.

Instrumentation

• With instrumentation on the target platform we are able to monitor for undesired behavior of the subject implementation. Typically this manifests as exceptions or signals such as 'access violation' or 'segmentation fault'. Unfortunately, the modern trend of abusing the try-catch -type of constructs easily masks the exceptions generated by stack and memory corruption. Catching these hidden exceptions relies on the debugging skills of the developers themselves.
• Zero-case instrumentation will be bundled with the test-material. In this rather crude method, a valid PDU (zero-case) that should result in a valid reply is sent to the subject between real test-cases until a response is received. Hence, if no response from the subject is detected, it has failed. This method is especially convenient when testing black-box hardware implementations. Unfortunately, zero-case instrumentation is not available with Trap-PDUs since implementations should never reply to the received traps.

Implementation

• Test-runs were conducted against the chosen set of sample implementations. Specifications, exceptional elements, semantic rules, injectors and instrumentation were integrated as a test-tool configuration to enable automatic execution of the tests.

Results from the Test-Runs

• Results from the test-runs are summarised herein. Tables below represent the observations from feeding the test-material against the chosen subject software. Product names of the actual subjects are omitted to protect the innocent. Results are presented in a tabular form with test-cases divided into test-groups based on the exceptional element types utilised and PDU fields under examination.
• Each failed test-case represents at minimum a denial of service type chance of exploiting the found vulnerability. In most cases, they represent memory corruption, stack corruption or other fatal error conditions. Some of these may lead exposure to typical buffer overflow exploits, allowing running of arbitrary code or modification of the target system.
• The recommendations for securing SNMP implementations presented in the Analysis section were tried against each sample implementation when suitable.
• Changing the community name worked only for some implementations, but not especially for those which had problems with exceptional community names. Network access control was soon discovered to be insufficient since UDP source address can be easily spoofed. Disabling the SNMP functionality worked usually when there was a possibility to do so. However, there was one implementation that continued to receive SNMP packets even after SNMP was disabled. It did not respond to valid SNMP requests, but crashed when certain test-cases were injected. All sample implementations accepted SNMPv1 packets sent to the network broadcast address, this is most likely due to nature of the typical bind() usage with INADDR_ANY address.

Test-Result Definitions

• In this test-suite, the 'failed' status is granted if any of the following criteria are met and a single test-case can be identified to be responsible of it:
  • A fatal failure is triggered in a device causing it to stop functioning normally
  • A SNMP process or a device crashes or hangs and needs to be restarted manually
  • A SNMP process or a device crashes and restarts automatically
  • A SNMP process consumes almost all CPU and/or memory resources for an exceptionally long or indefinite time
• If no single test-case can be identified but similar effects are observed, the status is 'inconclusive'.
• If the 'failed' status happens to be independent of SNMP community names, it is upgraded to 'failed unconditionally'. This is the worst status that can be given.
• In some cases, the subject gets corrupted so badly or is fundamentally so instable that there is no way to collect accurate test-results for the whole test-run. The untested regions are marked as 'unknown'.
• Otherwise, the status is 'passed'.

Test-Results by Test-Groups

• These tables show how effective different test-groups were in the test-runs. A test-group is marked failed if any single case or combination of cases cause the subject to fail. Note that if a subject fails in a format string (fmtstring) test-group, the failure may be triggered by a very long format string causing an overflow condition. Should implementation have failed format string category, but not previous overflow category, then implementation is more or very likely to contain real format string type of vulnerability.
• Observed failures for req-app test-groups

  Test-group / Test-run #

  001

  002

  003

  004

  005

  006

  007

  008

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  get-req-communityname-overflow

  -

  -

  U

  -

  -

  U

  -

  -

  get-req-communityname-overflow-fmtstring

  -

  -

  U

  -

  -

  U

  -

  -

  get-req-communityname-overflow-extra-null

  -

  -

  U

  -

  -

  U

  -

  -

  get-req-communityname-vlan-overflow

  -

  -

  -

  -

  -

  U

  -

  -

  get-req-varb-objectname-oid

  X

  -

  -

  U

  -

  -

  X

  -

  get-req-varb-objectname-oid-with-fmtstring

  X

  -

  -

  U

  -

  -

  X

  -

  get-req-varb-objectname-oid-invalid-index

  I

  -

  -

  -

  -

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  get-req-varb-sysname-object-oid

  -

  -

  -

  U

  -

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  get-req-varb-multiple

  X

  -

  -

  -

  -

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  getn-req-varb-objectname-oid

  X

  -

  -

  U

  -

  -

  X

  -

  getn-req-varb-objectname-oid-with-fmtstring

  X

  -

  -

  U

  -

  -

  X

  -

  getn-req-varb-objectname-oid-invalid-index

  I

  -

  -

  -

  -

  -

  -

  -

  getn-req-varb-multiple

  X

  -

  -

  -

  -

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  set-req-communityname-overflow

  -

  -

  U

  -

  -

  U

  -

  -

  set-req-communityname-overflow-fmtstring

  -

  -

  U

  -

  -

  U

  -

  -

  set-req-communityname-overflow-extra-null

  -

  -

  U

  -

  -

  U

  -

  -

  set-req-communityname-vlan-overflow

  -

  -

  -

  -

  -

  U

  -

  -

  set-req-varb-objectname-oid

  -

  -

  -

  U

  -

  -

  -

  -

  set-req-varb-objectname-oid-with-fmtstring

  -

  -

  -

  U

  -

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  set-req-varb-sysname-object-oid

  -

  -

  -

  U

  -

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  Legend:
  • nnn: Each different test-run (tr-nnn) represents a different tested implementation.
  • X: Verdict is failed
  • U: Verdict is failed unconditionally (no need-to-know a valid community name)
  • I: Verdict is inconclusive
  • -: Verdict is passed
• Observed failures for req-enc test-groups

  Test-group / Test-run #

  001

  002

  003

  004

  005

  006

  007

  008

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  get-req-ber-l-length

  -

  -

  U

  -

  X

  -

  U

  U

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  get-req-ber-tlv-OBJECT-IDENTIFIER

  -

  -

  -

  -

  -

  -

  X

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  get-req-ber-tlv-noise

  -

  -

  -

  -

  -

  -

  X

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  getn-req-ber-l-length

  -

  -

  U

  -

  X

  -

  X

  U

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  getn-req-ber-tlv-OBJECT-IDENTIFIER

  -

  -

  -

  -

  -

  -

  X

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  getn-req-ber-tlv-noise

  -

  -

  -

  -

  -

  -

  X

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  set-req-ber-t-number

  -

  -

  U

  -

  -

  -

  -

  -

  set-req-ber-l-length

  -

  -

  U

  -

  X

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  set-req-ber-tlv-BITSTRING

  -

  -

  U

  -

  -

  -

  -

  -

  ...

  .

  .

  .

  .

  .

  .

  .

  .

  Legend: [see first result table above]
• Observed failures for trap-app test-groups

  Test-group / Test-run #

  009

  010

  011

  012

  ...

  .

  .

  .

  .

  trap-enterprise-oid

  -

  -

  -

  I

  ...

  .

  .

  .

  .

  trap-start-varb-objectsyntax-string-overflow

  -

  U

  U

  -

  ...

  .

  .

  .

  .

  trap-start-varb-objectsyntax-string-overflow-extra-null

  -

  U

  -

  -

  trap-start-varb-objectsyntax-object-oid

  U

  -

  -

  -

  ...

  .

  .

  .

  .

  trap-start-varb-objectsyntax-opaque-integer

  -

  U

  U

  -

  trap-start-varb-multiple

  U

  U

  -

  -

  ...

  .

  .

  .

  .

  trap-link-varb-objectsyntax-string-overflow

  -

  U

  U

  -

  ...

  .

  .

  .

  .

  trap-link-varb-objectsyntax-string-overflow-extra-null

  -

  U

  -

  -

  trap-link-varb-objectsyntax-object-oid

  U

  -

  -

  -

  ...

  .

  .

  .

  .

  trap-link-varb-objectsyntax-opaque-integer

  -

  U

  U

  -

  trap-link-varb-multiple

  U

  U

  -

  -

  ...

  .

  .

  .

  .

  trap-authfail-varb-objectsyntax-string-overflow

  -

  U

  U

  -

  ...

  .

  .

  .

  .

  trap-authfail-varb-objectsyntax-string-overflow-extra-null

  -

  U

  -

  -

  trap-authfail-varb-objectsyntax-object-oid

  U

  -

  -

  -

  ...

  .

  .

  .

  .

  trap-authfail-varb-objectsyntax-opaque-integer

  -

  U

  U

  -

  trap-authfail-varb-multiple

  U

  U

  -

  -

  ...

  .

  .

  .

  .

  trap-neighloss-varb-objectsyntax-string-overflow

  -

  U

  U

  -

  ...

  .

  .

  .

  .

  trap-neighloss-varb-objectsyntax-string-overflow-extra-null

  -

  U

  -

  -

  trap-neighloss-varb-objectsyntax-object-oid

  U

  -

  -

  -

  ...

  .

  .

  .

  .

  trap-neighloss-varb-objectsyntax-opaque-integer

  -

  U

  U

  -

  trap-neighloss-varb-multiple

  U

  U

  -

  -

  ...

  .

  .

  .

  .

  trap-enterprise-varb-multiple

  U

  U

  -

  -

  ...

  .

  .

  .

  .

• Legend: [see first result table above]
• Observed failures for trap-enc test-groups

  Test-group / Test-run #

  009

  010

  011

  012

  trap-ber-t-class

  -

  -

  U

  -

  trap-ber-t-number

  -

  -

  U

  -

  trap-ber-l-length

  U

  -

  U

  -

  ...

  .

  .

  .

  .

  trap-ber-tlv-BOOLEAN

  -

  -

  U

  I

  ...

  .

  .

  .

  .

  trap-ber-tlv-OCTETSTRING

  -

  U

  -

  -

  trap-ber-tlv-BITSTRING

  -

  U

  U

  -

  trap-ber-tlv-REAL

  -

  -

  U

  -

  trap-ber-tlv-OBJECT-IDENTIFIER

  -

  U

  -

  -

  trap-ber-tlv-SEQUENCE-OF

  -

  U

  U

  I

  trap-ber-tlv-SET-OF

  -

  U

  U

  -

  trap-ber-tlv-ENUMERATED

  -

  -

  U

  I

  trap-ber-tlv-noise

  -

  -

  U

  -

  ...

  .

  .

  .

  .

  Legend: [see first result table above]

Test-Results Summary

• The results are further summarised in the tables below. Results summary for req-app

  Test-run #

  Total test-cases

  Failed test-cases

  Total groups

  Failed groups

  tr-001

  10601

  N

  61

  8

  tr-002

  10601

  0

  61

  0

  tr-003

  10601

  13

  61

  6

  tr-004

  10601

  16

  61

  8

  tr-005

  10601

  0

  61

  0

  tr-006

  10601

  224

  61

  8

  tr-007

  10601

  57

  61

  4

  tr-008

  10601

  0

  61

  0

  Legend:
  • N: We were unable to determine the exact number of failures. See the more detailed tables above.
• Results summary for req-enc

  Test-run #

  Total test-cases

  Failed test-cases

  Total groups

  Failed groups

  tr-001

  18915

  0

  57

  0

  tr-002

  18915

  0

  57

  0

  tr-003

  18915

  N

  57

  5

  tr-004

  18915

  0

  57

  0

  tr-005

  18915

  4

  57

  3

  tr-006

  18915

  0

  57

  0

  tr-007

  18915

  N

  57

  5

  tr-008

  18915

  10

  57

  2

  Legend: [see first summary table above]
• Results summary for trap-app

  Test-run #

  Total test-cases

  Failed test-cases

  Total groups

  Failed groups

  tr-009

  15323

  N

  76

  9

  tr-010

  15323

  166

  76

  17

  tr-011

  15323

  12

  76

  8

  tr-012

  15323

  N

  76

  1

  Legend: [see first summary table above]
• Results summary for trap-enc

  Test-run #

  Total test-cases

  Failed test-cases

  Total groups

  Failed groups

  tr-009

  8777

  5

  24

  1

  tr-010

  8777

  24

  24

  5

  tr-011

  8777

  N

  24

  10

  tr-012

  8777

  N

  24

  3

  Legend: [see first summary table above]

Verification via Exploits

• To support the vulnerability reporting process, typically one exploit per implementation is refined and included in the respective vulnerability report. The exploit is only intended for demonstration purposes and is harmless as it is. Simplest of them only executes some harmless commands in the target system, typically with the privileges of the vulnerable process. Some only provide a demonstration by causing a Denial of Service (DoS) against the software. Buffer overflow exploits allowing execution of arbitrary code were demonstrated against:
  • One SNMP master agent bundled in an embedded firewall and VPN appliance
  • Two SNMP master agents bundled as part of the operating systems in question
  • One SNMP trap listener bundled as part of the operating system in question
  • Two add-on trap listeners available as parts of SNMP management frameworks
  In the initial set of the tested products, denial of service was demonstrated for the remaining master agents (three network devices) and one trap listener (management framework) identified as vulnerable.

Test-Material Package

Package Information

• The test-material is distributed as four JAR packages, two for Request-PDUs (GetRequest, GetNextRequest and SetRequest) and two for Trap-PDUs. Of the two JAR packages for given PDU type one contains the application part and the other the BER encoding part of test-cases. Each package comprises of the following elements:

• Test-cases (PDUs), located in testcases/ directory
• Java code (source and compiled) for feeding the test-cases against the system under test
• LICENSE.TXT - GNU General Public License (GPL) version 2
• README.TXT - Short instructions

Licence and Copyright

• The test-material is licensed under GNU General Public License (GPL) version 2, at no charge. This is done in order to ensure that vendors and their customers may freely utilise the test-material. Standard GPL terms for no warranty and no liability apply.

• We recommend some additional guidelines, although these do not restrict the test-material licence. These guidelines can be found from the "test-suite releases in Theory and Practice" document.

Usage

• A prerequisite for using the test-material is a properly configured SNMPv1 implementation, preferably not in an open network.
• The test-material can be used either with the bundled injection code [Using with Java] or with an external injector [Using single test-cases].

Using with Java

• Java Runtime is a prerequisite for running the bundled Java code. This package has been tested on Java 2 Platform, Standard Edition (J2SE ). [10]

• Usage examples for the injection code bundled in the JAR packages:
• java -jar c06-snmpv1-req-app-r1.jar -help
  • This command displays the built-in help for the available command line options. Options such as selecting the zero-case instrument, a specific range of test-cases, showing the reply from subject or non-standard destination port are high-lighted therein.

• java -jar c06-snmpv1-req-app-r1.jar -host hostname -single -showreply

  • Send the req-app test-case index into SNMP server hostname port 161 and show reply from the server (if any). Please note that -showreply is not relevant with SNMP traps.
• java -jar c06-snmpv1-req-app-r1.jar -host hostname -delay 1000
  • Send all req-app test-cases into SNMP server hostname port 161 with a delay of 1000 milliseconds between each case.
• java -jar c06-snmpv1-req-app-r1.jar -host hostname -zerocase
  • Run all req-app test-cases into SNMP server hostname port 161. A valid zero-case (test-case# 0) is injected between the real test-cases and a reply to it is awaited for. Please note that -zerocase switch works only with Request-PDUs, SNMPv1 trap handling does not involve responses.

Using without Java

• The test-cases (PDUs) are in raw binary format and can be used by any suitable delivery software, such as nc (netcat). The individual test-cases can be extracted from the JAR package with tools such as unzip, Winzip or jar. Refer to the manual pages and product documentation of the respective tools for additional information.

Download

Request Material

• These JAR packages contain the req-app and req-enc test-material and the corresponding PGP signatures.

  • c06-snmpv1-req-app-r1.jar (req-app test-material)

  • c06-snmpv1-req-app-r1.jar.asc (req-app detached PGP signature)

  • c06-snmpv1-req-enc-r1.jar (req-enc test-material)

  • c06-snmpv1-req-enc-r1.jar.asc (req-enc detached PGP signature)

Trap Material

• These JAR packages contain the trap-app and trap-enc test-material and the corresponding PGP signatures.

  • c06-snmpv1-trap-app-r1.jar (trap-app test-material)

  • c06-snmpv1-trap-app-r1.jar.asc (trap-app detached PGP signature)

  • c06-snmpv1-trap-enc-r1.jar (trap-enc test-material)

  • c06-snmpv1-trap-enc-r1.jar.asc (trap-enc detached PGP signature)

Notes

• Be sure to check which PDU types the subject accepts. Zero-case instrument requires that the subject has a properly configured 'public' SNMP read community. Otherwise the subject will not respond to valid test-cases. However, if you want to test a subject with a different community, the default zero-case (test-case# 0) can be replaced. Using a hex editor, 'public' can be changed to 'foobar' and because they have the same length, the packet validity is preserved. Remember that zero-case instrumentation works only with Request-PDU packages, because SNMP traps are never replied to.
• For the best possible replication of results gathered by us, request JAR test-cases should be ran using switches -zerocase and -showreply. For the trap JARs no additional switches except for the -host should be used. This ensures that timeouts and configuration options match as far as possible those used in our test-runs. As mentioned earlier, community name 'public' was used as read community and no write community was defined.
• Sending test-cases with different timeouts, in different order and so on may reveal error modes we did not notice. Also, setting write community to public or read community to something other than public are likely to have significant effect on results and possible error modes observed.

Conclusions

• The initial results from the c06-snmpv1 tests indicate that implementation errors plague several SNMP products. None from the sample of twelve implementations survived the test-material. This is most alarming since SNMPv1 is widely used in critical parts of network infrastructure.
• Attempts to secure the sample implementations from the found vulnerabilities produced various results. Applying device based access control to SNMP traffic was mostly useless since spoofing the UDP source address is simple. All sample implementations by default accepted SNMP packets sent to the network broadcast address, and this lessens the effort needed to exploit the vulnerabilities. A potential attacker does not need to know the actual IP-addresses of his targets and can in worst case use a single broadcast packet to compromise a whole network without ever having to find out a valid SNMP community name. In some cases, SNMP could not be fully disabled and there was no other way to secure an implementation than to plug it off the network.
• Since the test-material can discover only a fraction of potential implementation errors, it is likely that we have simply touched the tip of the iceberg. We hope that a wide adoption of this test-suite will raise the overall quality of SNMP products and will help implementors to fix also those vulnerabilities not directly addressed by it.

Acknowledgments

• We wish to express our gratitude to individual vendors who worked with us to protect their customers. We are in debt to Sonera Corporation for providing us facilities and support in determing the impact of the test-suite. Last, but not least, we are grateful to CERT/CC for their patient help, advice and active role during the vulnerability process. We admire CERT/CC's ability and sacrifice in handling the complexity of the issue, number of the vendors involved and the resulting flood of communication during extended time-frame spanning several months.

Vulnerability Management

Prior Public Vulnerabilities

• The most common sources for vulnerability information and exploits were covered and cross checked for potential and already known vulnerabilities in the implementations of the chosen protocol. Typical sources for finding out about existing vulnerabilities are databases and mailing-lists. Search-engines may also reveal information on past vulnerabilities.

The Vulnerability Process

• During the prerelease phase all verified vulnerabilities were reported to the respective vendors. The vulnerability reports were tracked by the CERT/CC in role of an independent coordinator and advisor. [11] Due to potentially large number of vendors affected, an attempt to establish a channel for discussion and test-material distribution was made with CERT/CC.

Advisories and Vendor Statements

• Vendor statements or security advisories issued in order to address the vulnerabilities uncovered by this test-suite are collected. Advisories that we are aware of are listed here-in:

  • [CERT/CC 2002-02-12 ] CERT? Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)

References

• [1] "Open Directory Project : Top : Computers : Internet : Protocols". Open directory project. http://dmoz.org/Computers/Internet/Protocols/desc.html.

  [2] Case, J; Fedor, M; Schoffstall, M & Davin J. (1990). "A Simple Network Management Protocol (SNMP)". The Internet Engineering Task Force. http://www.ietf.org/rfc/rfc1157.txt.

  [3] "The Internet Engineering Task Force". http://www.ietf.org/.

  [4] "comp.protocols.snmp SNMP FAQ". http://www.faqs.org/faqs/snmp-faq/.

  [5] Stevens, Richard W. TCP/IP Illustrated, Volume 1. (1994). Addison-Wesley. ISBN: 0-201-63346-9.

  [6] Larmouth, John. ASN.1 Complete. (1999). Morgan Kaufmann. http://www.oss.com/asn1/larmouth.html. ISBN: 0-12233-435-3.

  [7] "The SimpleWeb". http://www.simpleweb.org/.

  [8] "SNMPLink.org". http://www.snmplink.org/.

  [9] "SNMPWorld". http://silver.he.net/~rrg/snmpworld.htm.

  [10] "Java 2 Platform, Standard Edition (J2SE)". http://java.sun.com/j2se/1.3/.

  [11] "CERT/CC". http://www.cert.org/.

Appendix A: Guidelines for Securing SNMP

• As part of the analysis for the PROTOS c06-snmpv1 test-suite, some guidelines for securing specific SNMP implementations were reviewed.
  • Securing SNMP on Solaris

    • http://ist.uwaterloo.ca/security/howto/2000-10-04/

    Securing SNMP in Windows

    • http://www.sans.org/infosecFAQ/incident/SNMP.htm

    Securing your Cisco Router when using SNMP

    • http://www.sans.org/infosecFAQ/netdevices/router.htm

    SNMP - simple management tool for hackers?

    • http://www.nwfusion.com/newsletters/sec/1004sec1.html

    Windows 2000, SNMP and Security

    • http://www.securityfocus.com/focus/microsoft/2k/snmp.html

Appendix B: Related Test-Suites

• A survey of other existing test-suites related to SNMP was conducted. The found test-suites focused on rather semantical issues, with no or only some syntax testing material.

• http://www.iwl.com

  • "InterWorking Labs provides SilverCreek(R), the SNMP Test-Suite, for software engineers to find and fix bugs in their SNMP agent implementations. With nearly 1,000 tests available for SNMPv1, v2, v3, and semantic tests for RMON1, RMON2, and the Printer MIB, InterWorking Labs has revolutionised the process of testing network products."

• http://www.smplsft.com/stest.html

  • "SimpleTester is an easy to use test tool that automatically tests SNMPv1, SNMPv2C and SNMPv3 agents. Using this tool you can exhaustively test agents implementing standard and enterprise specific MIBs within minutes. Over 800 semantic validation tests for popular MIBs like MIB-II, mini-RMON and SNMPv3 are included with source code. Utilities like MIB browser, Trap Checker and Script Generator, along with scripting support for Telnet and Serial I/O is also present."