共产主义 英文:PROTOS Test-Suite: c06-snmpv1 (SNMP 测试)
来源:百度文库 编辑:偶看新闻 时间:2024/04/30 19:29:58
PROTOS Test-Suite: c06-snmpv1
Permission is hereby granted for quoting, reprinting and redistributing this document, provided that a link to this document is given, and all changes made are clearly separated from the original text.
ABSTRACT
-
The Simple Network Management Protocol (SNMP) enables monitoring and configuration of network nodes. The venerable SNMP is almost omni-present amongst a wide variety networked devices ranging from Internet gateways to information appliances. The SNMP version one (SNMPv1) was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. A survey of the related standards was made. Test-material was prepared and tests were carried out against a sample set of existing implementations. Results were gathered and reported. Many of the implementations available for evaluation failed to perform in a robust manner under test. Some failures had information security implications, and should be considered as vulnerabilities. In order to achieve a robustness baseline for SNMPv1 products this test-material should be adopted for their evaluation and development.
Introduction
-
This test-suite is a byproduct of the "PROTOS - Security Testing of Protocol Implementations" project. Important: Background, goals, limitations, terminology and licensing for this test-suite release are explained in the "Test-suite releases in Theory and Practice" document.
-
This test-suite covers a limited set of information security and robustness related implementation errors for a subset of the chosen protocol. The subject protocol and the chosen subset of it are illustrated in the Analysis section below.
Analysis
-
"SNMP is a communication protocol that has gained widespread acceptance since 1993 as a method of managing TCP/IP works, including individual network devices, and devices in aggregate. SNMP was developed by the IETF (Internet Engineering Task Force), and is applicable to any TCP/IP network, as well as other types of networks." - Open Directory Project [1]
-
"The Internet Activities Board recommends that all IP and TCP implementations be network manageable." - RFC1157 [2]
- The purpose of this test-suite is to evaluate implementation level security and robustness of Simple Network Management Protocol (SNMP) implementations. The factors behind choosing SNMP included:
- SNMP is widely adopted for managing IP networks, including individual network devices, and devices in aggregate. In other words - there are plenty of different implementations and a myriad of installations. Moreover, even if the SNMP is not in active use inside a network, it may be lying dormant on individual devices by virtue of being included in default configurations.
- A SNMP manageable devices may be critical for the network infrastructure. Even a denial-of-service attack against such of a device may have serious implications. Therefore locating and fixing common implementation errors should be encouraged.
- Robustness problems in decoding exceptional BER encoding may lead to situation where application level authentication based access control is ineffective since errors may reside in code that will be involved in parsing the packets before authentication takes place.
- Since SNMP has been around for a relatively long time implementations should have had time to mature, making them more robust against implementation type errors. Evaluating such mature products should provide us useful feedback on the current state of implementation level robustness in general.
-
In this test-suite, the focus was set on the certain protocol data units (PDUs), namely requests (GetRequest, GetNextRequest and SetRequest) and traps. The protocol version one (SNMPv1) was chosen. Rationale behind these selections:
- SNMP agents and trap-aware SNMP managers are by design ready to accept incoming requests and traps without prior session setup. These expose a natural attack vector that should be scrutinized with top priority.
- All SNMP implementations must support SNMPv1. Moreover, newer versions of the protocol (SNMPv2[p,c,u] and SNMPv3) should be considered as protocols of their own due to the changes in the management paradigm.
- SNMPv1 has a less complicated structure in comparison to the newer versions. This enables us to concentrate on other things than the protocol specification. Thus, we could expect a test-suite of good quality and coverage.
- Although SNMPv1 is a venerable protocol, it has no popular and public syntax testing material aimed against robustness problems.
- Due the widespread nature of SNMPv1, there are plenty of implementations by several vendors available for testing, including equipment that are a critical part of the core Internet infrastructure.
-
In order to understand the typical deployment scenarios of SNMPv1, some guidelines for securing specific SNMP implementations were reviewed (see Appendix A). Typical recommendations are summarized below in no particular order:
- A. Choose non-default community names.
- B. Apply perimeter filtering to SNMP traffic.
- C. Apply SNMP device based network access control to filter the traffic.
- D. Isolate SNMP into a separate management VLAN.
- E. Disable the SNMP functionality if it is not needed.
- Assuming recommendation (A) to be the most widely adopted measure, the impact of new potential SNMPv1 vulnerabilities can be roughly categorised based on the dependency on the need-to-know the chosen community names (the authentication scheme). A vulnerability can occur:
- 1. independently of the community name (greatest impact)
- 2. with a known read-only community name
- 3. with a known read-write community name (smallest impact)
- The second category was chosen as the initial test-strategy. If a vulnerability is discovered by using a known read-only community name, then it will be verified in context where a correct community name is unknown. Many SNMPv1 implementations appear to use default community names that are well-known, such as 'public'. This fact increases the impact of vulnerabilities in the last two categories.
- A survey of pre-existing test-suites was made (see Appendix B]). None of the identified test-suites were found to be robustness related, and thus do not contribute in this context.
Design
Standard Survey
- The available standards specifying the selected protocol have to be studied, and analysed. The relevant protocol specifications are listed in the table below.
-
Only the relevant SNMP specifications are listed. Several specifications regarding newer SNMP versions and extensions are left out but are available from IETF. [3] SNMPv1 Standard survey
Name
Document Date
Organization
Status
Link
Description
RFC1155
1990-05
IETF
RFC
(link)
Structure and Identification of Management Information for TCP/IP-based Internets
RFC1156
1990-05
IETF
RFC
(link)
Management Information Base for Network Management of TCP/IP-based internet
RFC1157
1990-05
IETF
RFC
(link)
Simple Network Management Protocol (SNMP)
RFC1215
1991-03
IETF
RFC
(link)
A Convention for Defining Traps for use with the SNMP
RFC1270
1991-11
IETF
RFC
(link)
SNMP Communications Services
RFC1352
1992-07
IETF
RFC
(link)
SNMP Security Protocols
RFC2570
1999-04
IETF
RFC
(link)
Introduction to SNMPv3 framework - overall roadmap
- For further study, a selection of practical material on SNMPv1 and related issues is given below:
-
comp.protocols.snmp SNMP FAQ [4]
-
TCP/IP Illustrated, Volume 1 by Stevens [5]
-
ASN.1 Complete by Prof. Larmouth [6]
-
Subject Survey
- A survey of available implementations is conducted. This should include a diverse selection of implementations in order to gain a better insight into the applications implementing the protocol, and to give a hint of the impact of the potential vulnerabilities. Typically, not all implementations are available for testing, and thus cannot be tested by the project personnel within this test-suite prerelease phase.
-
No sample list of implementations is presented herein. A large number of vendors include SNMPv1 support in their products for either manager or agent functionality. A list of vendors with SNMPv1 enabled products may include at least 3Com, Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco, Compaq, Computer Associates, D-Link, Dell, Digi, Ericsson, Extreme networks, F5, Foundry, Fujitsu Siemens, HP, Hitachi, IBM, ICL, Intel, Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore, Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel, Novell, SMC, Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, Windriver, Xerox, Xylan, Zyxel and many others.
- Myriad of products with built-in SNMPv1 support include different models of:
- managed network building blocks: bridges, hubs, routers, switches, media converters, UPSes, WLAN access points
- managed network access equipment: cable modems, xDSL equipment, remote access servers
- security products: firewalls, anti-virus frameworks, network analyzers
- networked printers/copiers, networked cameras, networked image-scanners
- managed software components: databases, backup software
- network management frameworks
- operating systems
- networked instruments: oscilloscopes, medical imaging units
- industrial automation equipment: manufacturing, processing ...
- Some specific SNMP implementations and related information may be found from the following resources:
-
The Simpleweb [7]
-
SNMPLink [8]
-
SNMPWorld [9]
-
comp.protocols.snmp SNMP FAQ [4]
-
- A subset of the implementations was chosen as a sample set to be tested during the test-suite creation and pre-release phases. Most likely reasons for omission of a specific product from the sample set include:
- no evaluation copy of product was available
- or evaluation copy had a restrictive licence prohibiting evaluation
- or we were not aware of the product
Injection Vector Survey
- The injection vector survey, or delivery vector survey, analyses the different methods of delivering the test-cases to the implementations under test (IUT). Often, there are several methods of injection and one test-suite cannot cover them all, or might miss some vectors not available in all implementations.
- Injection vector survey
Application protocol
Transport protocol
Packet
SNMPv1 Requests
UDP (port 161)
GetRequest/GetNextRequest/SetRequest PDUs to an agent
SNMPv1 Responses
UDP
Responses for Request PDUs
SNMPv1 Traps
UDP (port 162)
Trap-PDUs to a manager (trap listener)
- The core specification(s) of the SNMPv1 protocol indicate that UDP over IP is used to transfer SNMPv1 protocol data units (PDU) although the mechanisms of the SNMP are generally suitable for use with a wide variety of transport services. For example RFC1089, RFC1161 and RFC1298 describe the means of transferring SNMPv1 messages over protocols other than UDP over IP. However the UDP over IP is the most used scheme. Hence, the selected UDP delivery vector should provide successful injection of test-cases to all chosen implementations.
About SNMP Architecture
- The SNMP architecture is illustrated in the figure below. The figure identifies two major roles (Manager and Agent) and two communication channels (UDP port 161 and UDP port 162).
-
- Figure: Simplified SNMP architecture
- SNMP managers can be anything from monolithic GUI based management frameworks to individual console applications that communicate over network using SNMPv1 protocol. There are also specific trap listeners for logging and dispatching incoming trap event messages.
- SNMP agents can either work alone or with sub-agents. When sub-agents are present, the agent that listens for SNMPv1 requests from managers is called a master agent. The master agent forwards a received request to corresponding sub-agents. This communication may be done using a special sub-agent protocol. If the sub-agent does not respond directly to the requester, then the master agent may be involved in converting the response into SNMPv1 and delivering it to the manager. The master agent may be completely transparent to the manager.
-
"A master agent provides access to SNMP variables that may be provided by one or more subagents. The master agent usually uses a subagent protocol (AgentX, DPI, SMUX, EMANATE, ...) to interact with the subagents. One of the key features of such an extensible agent is that it is complete transparent to the manager." - SNMP FAQ [4]
- A SNMP proxy agent is an element capable of acting as gateway to the other management agents. Proxies could be used to map different management protocols and to pass through an application level firewall.
-
"The current definition of a proxy SNMP agent is an agent which acts like a gateway to other SNMP agents. This can be useful in order to pass firewalls or to map SNMP protocol versions. Such a proxy is however not transparent to the manager since the manager usually has to select special parameters to address the target agent through the proxy." - SNMP FAQ [4]
Specifications Design
- Protocol data unit specifications are used as a basis for generating the test-cases. Starting point for the design of the test-suite is to acquire or create a machine-readable representation of the protocol specification. The test-tool developed in this project uses a custom dialect of BNF (Backus-Naur Form). The BNF is capable of describing context-free syntax of a specification, but is not usually enough for the PDU generation. The specification is completed by semantic rules which semantically extend the BNF and communication rules which provide communication channels with external components. Rules are implemented in Java.
- In this test-suite, a BNF presentation of SNMPv1 packet types was needed. Since SNMPv1 specification uses ASN.1 notation, the relevant ASN.1 specifications were manually converted into BNF.
Design of Exceptional Elements
- An exceptional element is a piece of data designed to provoke undesired behavior of the subject implementation. A single test-case contains one or more exceptional elements. An exceptional element can be illegal according to protocol specification, but often it is legal or in the hazy region between legal and illegal constructs. In a nutshell, an exceptional element is an input that might not have been considered properly when implementing the software.
- ASN.1 Basic Encoding Rules (BER) are used along the SNMPv1 specification to resolve the actual representation of the PDUs. Namely constructed types, field lengths, integers, strings and object identifiers are encoded using BER.
- The application logic of a SNMPv1 agent receives data objects from a BER decoder, acts according the requests, and replies to the manager though a BER encoder. A SNMPv1 manager sends requests and listens for replies and trap messages. One might suppose that the use of ASN.1/BER protects the application logic from malformed input. However, any exceptional input which is correctly encoded will pass to the application logic.
Exceptional Element Categories
- The following table lists the categories of the exceptional elements designed for the test-material: Exceptional element categories
Name
Description
E-01
Invalid BER length (L) fields. The first part of this group contains valid encodings of exceptional values, while the other part contains invalid length of length BER encodings
E-02
Exceptional elements for Class tags: Universal, Application, Context-specific, Private
E-04
Exceptional elements for BER's T fields number field
E-05
Mostly invalid encodings for BER NULL type
E-06
Mostly invalid encodings for BER BOOLEAN type
E-07
Mostly invalid encodings for BER INTEGER type
E-08
Mostly invalid encodings for BER OCTETSTRING type
E-09
Mostly invalid encodings for BER BITSTRING type
E-10
Mostly invalid encodings for BER SEQUENCE-OF type
E-11
Mostly invalid encodings for BER SET-OF type
E-12
Mostly invalid encodings for BER OBJECT-IDENTIFIER type
E-13
Mostly invalid encodings for BER REAL type
E-14
Mostly invalid encodings for BER ENUMERATED type
E-15
Total garbage with semi correct BER encodings
E-16
BER elements of PDU totally removed one at a time
E-17
Invalid extra data inserted in different parts of the PDU
I-01
Overflows with multiple zeroes and integer coded format strings
I-02
Overflow integers: various very big integers from (+/-)1 to magnitudes (+/-)2^256 and above
I-03
Large boundaric integer values (ie. (232)+-1, (264)+-1,...)
I-04
SetRequest(3) and Trap(4) PDU types in SNMP messages are replaced with big integers (ie. (232)+3, (256)+3, (2^64)+3,...)
B-01
Legal values (0x01 - 0x05) for ErrorStatus defined in RFC1157
O-01
General overflow strings consisting of for example from long strings of character 'a'
O-02
Long exceptional strings applied after community name public as VLAN name (ie. public@vlan0). Strings include multiples of 'a', "%s", '0', etc.
O-03
Overflows with null terminator (0x00) inserted at their beginning
O-04
Overflows with null terminator (0x00) inserted in their midst
F-01
Format strings of type "%s", "%s%n%x", "%.999d", "*.*d" and their variants
F-02
Community-specific format strings applied with community name public, ie. "public%s"
O-05
Object-identifier exceptional elements. Very long OIDs, OIDs with extremely big (ie. negative) branches
O-06
Object identifiers for sys.sysDescr, sys.sysName, if.ifNumber if.ifIndex with no, or invalid indexes
O-07
multiple (empty) VarBind entries. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types
O-08
multiple VarBind entries with short format string ("%s%s%s") as value. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types.
M-01
Zero length (null) data applied as a value of every BER element of PDU
Legend:- B: Bit pattern exceptions
- E: BER encoding exceptions
- F: Format string exceptions
- I: Integer value exceptions
- M: Missing symbol exceptions
- O: Overflow exceptions
- In "Encoding Exceptions" (letter E), exceptional ASN.1/BER elements are exercised. The purpose is to test the robustness of the BER decoder of the tested SNMPv1 implementation.
- In "Application Exceptions" (other letters), correctly formatted ASN.1/BER elements contain exceptional data objects. The purpose is to test the robustness of the application logic of the SNMPv1 implementation.
Design of Test-Material
- The tests are divided into four separate test-material packages. Each test-material package consists of a certain amount of test-cases. The test-cases are organized into test-groups so that similar kind of cases reside in a same group. Details for each package are presented below.
Req-App
-
10601 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with application exceptions Test-groups in req-app
Name
Category
First index #
Test-cases
zero-case-get-req
valid
0
1
zero-case-get-next-req
valid
1
1
zero-case-set-req
valid
2
1
get-req-version-integer
I-01, I-02, I-03
3
374
get-req-requestid-integer
I-01, I-02, I-03
377
374
get-req-errorstatus-integer
I-01, I-02, I-03
751
374
get-req-errorindex-integer-big
B-01, I-01, I-02
1125
303
get-req-errorindex-integer-boundary
B-01, I-03
1428
355
get-req-communityname-overflow
O-01
1783
111
get-req-communityname-overflow-fmtstring
F-01, F-02
1894
82
get-req-communityname-overflow-extra-null
O-03, O-04
1976
109
get-req-communityname-vlan-overflow
O-02
2085
244
get-req-varb-objectname-oid
O-05
2329
64
get-req-varb-objectname-oid-with-fmtstring
O-05, F-01
2393
64
get-req-varb-objectname-oid-invalid-index
O-06
2457
88
get-req-varb-sysname-string-overflow
O-01
2545
111
get-req-varb-sysname-string-overflow-fmtstring
F-01
2656
36
get-req-varb-sysname-string-overflow-extra-null
O-03, O-04
2692
109
get-req-varb-sysname-object-oid
O-05
2801
64
get-req-varb-sysname-number-integer
I-01, I-02, I-03
2865
374
get-req-varb-sysname-address-integer-small
I-01
3239
33
get-req-varb-sysname-counter-integer
I-01, I-02, I-03
3272
374
get-req-varb-sysname-gauge-integer
I-01, I-02, I-03
3646
374
get-req-varb-sysname-timeticks-integer
I-01, I-02, I-03
4020
374
get-req-varb-sysname-opaque-integer
I-01, I-02, I-03
4394
374
get-req-varb-multiple
O-07, O-08
4768
34
get-req-missing-data
M-01
4802
15
getn-req-errorstatus-integer
I-01, I-02, I-03
4817
374
getn-req-errorindex-integer-big
B-01, I-01, I-02
5191
303
getn-req-errorindex-integer-boundary
B-01, I-03
5494
355
getn-req-varb-objectname-oid
O-05
5849
64
getn-req-varb-objectname-oid-with-fmtstring
O-05, F-01
5913
64
getn-req-varb-objectname-oid-invalid-index
O-06
5977
88
getn-req-varb-multiple
O-07, O-08
6065
34
getn-req-missing-data
M-01
6099
15
set-req-errorstatus-integer
I-01, I-02, I-03
6114
374
set-req-errorindex-integer-big
B-01, I-01, I-02
6488
303
set-req-errorindex-integer-boundary
B-01, I-03
6791
355
set-req-communityname-overflow
O-01
7146
111
set-req-communityname-overflow-fmtstring
F-01, F-02
7257
82
set-req-communityname-overflow-extra-null
O-03, O-04
7339
109
set-req-communityname-vlan-overflow
O-02
7448
244
set-req-varb-objectname-oid
O-05
7692
128
set-req-varb-objectname-oid-with-fmtstring
O-05, F-01
7820
64
set-req-varb-objectname-oid-invalid-index
O-06
7884
176
set-req-varb-sysdescr-string-overflow
O-01
8060
111
set-req-varb-sysdescr-string-overflow-fmtstring
F-01
8171
36
set-req-varb-sysdescr-string-overflow-extra-nul
O-03, O-04
8207
109
set-req-varb-sysname-string-overflow
O-01
8316
111
set-req-varb-sysname-string-overflow-fmtstring
F-01
8427
36
set-req-varb-sysname-string-overflow-extra-null
O-03, O-04
8463
109
set-req-varb-sysname-object-oid
O-05
8572
64
set-req-varb-sysname-number-integer
I-01, I-02, I-03
8636
374
set-req-varb-sysname-address-integer-small
I-01
9010
33
set-req-varb-sysname-counter-integer
I-01, I-02, I-03
9043
374
set-req-varb-sysname-gauge-integer
I-01, I-02, I-03
9417
374
set-req-varb-sysname-timeticks-integer
I-01, I-02, I-03
9791
374
set-req-varb-sysname-opaque-integer
I-01, I-02, I-03
10165
374
set-req-varb-multiple
O-07, O-08
10539
34
set-req-missing-data
M-01
10573
15
set-req-request-type-shadow
I-04
10588
13
Legend:-
Name column presents the tag-names of the test-groups. Tags map in some extent to field names in SNMPv1 PDUs defined in RFC1157. Tags can be used to follow which parts of the PDU are being tested, and how. For example, get-req-communityname-overflow indicates that exceptional elements aiming to reveal buffer overflow vulnerabilities are inserted to the Community-field of the GetRequest-PDU.
- Category column describes which exceptional element categories are integrated in the test-group. Ie. category O-01 in above example is deduced from this column.
- "Test-cases" and "First index #" columns describe how many test-cases belong to the test-group, describing the first test-case number, and the number of cases from there on.
-
Req-Enc
-
18915 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with encoding exceptions Test-groups in req-enc
Name
Category
First index #
Test-cases
zero-case-get-req
valid
0
1
zero-case-get-next-req
valid
1
1
zero-case-set-req
valid
2
1
get-req-ber-t-class
E-02
3
76
get-req-ber-t-number
E-04
79
516
get-req-ber-l-length
E-01
595
1180
get-req-ber-tlv-NULL
E-05
1775
288
get-req-ber-tlv-BOOLEAN
E-06
2063
336
get-req-ber-tlv-INTEGER
E-07
2399
360
get-req-ber-tlv-OCTETSTRING
E-08
2759
264
get-req-ber-tlv-BITSTRING
E-09
3023
264
get-req-ber-tlv-REAL
E-13
3287
624
get-req-ber-tlv-OBJECT-IDENTIFIER
E-12
3911
456
get-req-ber-tlv-SEQUENCE-OF
E-10
4367
480
get-req-ber-tlv-SET-OF
E-11
4847
384
get-req-ber-tlv-ENUMERATED
E-14
5231
290
get-req-ber-tlv-noise
E-15
5521
790
get-req-extra-data-inside
E-17
6311
252
get-req-extra-data-inside-varbind
E-17
6563
378
get-req-extra-data-outside
E-17
6941
63
get-req-missing-field
E-16
7004
11
getn-req-ber-t-class
E-02
7015
68
getn-req-ber-t-number
E-04
7083
430
getn-req-ber-l-length
E-01
7513
1003
getn-req-ber-tlv-NULL
E-05
8516
216
getn-req-ber-tlv-BOOLEAN
E-06
8732
252
getn-req-ber-tlv-INTEGER
E-07
8984
270
getn-req-ber-tlv-OCTETSTRING
E-08
9254
192
getn-req-ber-tlv-BITSTRING
E-09
9446
198
getn-req-ber-tlv-REAL
E-13
9644
468
getn-req-ber-tlv-OBJECT-IDENTIFIER
E-12
10112
342
getn-req-ber-tlv-SEQUENCE-OF
E-10
10454
360
getn-req-ber-tlv-SET-OF
E-11
10814
288
getn-req-ber-tlv-ENUMERATED
E-14
11102
261
getn-req-ber-tlv-noise
E-15
11363
711
getn-req-extra-data-inside
E-17
12074
252
getn-req-extra-data-inside-varbind
E-17
12326
378
getn-req-extra-data-outside
E-17
12704
63
getn-req-missing-field
E-16
12767
9
set-req-ber-t-class
E-02
12776
68
set-req-ber-t-number
E-04
12844
430
set-req-ber-l-length
E-01
13274
1003
set-req-ber-tlv-NULL
E-05
14277
216
set-req-ber-tlv-BOOLEAN
E-06
14493
252
set-req-ber-tlv-INTEGER
E-07
14745
270
set-req-ber-tlv-OCTETSTRING
E-08
15015
192
set-req-ber-tlv-BITSTRING
E-09
15207
198
set-req-ber-tlv-REAL
E-13
15405
468
set-req-ber-tlv-OBJECT-IDENTIFIER
E-12
15873
342
set-req-ber-tlv-SEQUENCE-OF
E-10
16215
360
set-req-ber-tlv-SET-OF
E-11
16575
288
set-req-ber-tlv-ENUMERATED
E-14
16863
261
set-req-ber-tlv-noise
E-15
17124
711
set-req-extra-data-inside
E-17
17835
252
set-req-extra-data-inside-varbind
E-17
18087
756
set-req-extra-data-outside
E-17
18843
63
set-req-missing-field
E-16
18906
9
Legend: [see first test-group table above]
Trap-App
- 15323 test-cases: Trap PDUs with application exceptions Test-groups in trap-app
Name
Category
First index #
Test-cases
trap-coldstart-valid
valid
0
1
trap-warmstart-valid
valid
1
1
trap-linkdown-valid
valid
2
1
trap-linkup-valid
valid
3
1
trap-authenticationfailure-valid
valid
4
1
trap-egbneighborloss-valid
valid
5
1
trap-request-type-shadow
I-04
6
13
trap-version-integer
I-01, I-02, I-03
19
284
trap-communityname-overflow
O-01
303
111
trap-communityname-overflow-fmtstring
F-01, F-02
414
82
trap-communityname-overflow-extra-null
O-03, O-04
496
79
trap-communityname-vlan-overflow
O-02
575
244
trap-enterprise-oid
O-05
819
64
trap-enterprise-oid-invalid-index
O-06
883
86
trap-agent-addr-integer
I-01, I-02, I-03
969
284
trap-generic-trap-integer
I-01, I-02, I-03
1253
284
trap-specific-trap-integer
I-01, I-02, I-03
1537
284
trap-time-stamp-integer
I-01, I-02, I-03
1821
284
trap-start-varb-objectname-oid
O-05
2105
128
trap-start-varb-objectname-oid-invalid-index
O-06
2233
172
trap-start-varb-objectsyntax-string-overflow
O-01
2405
222
trap-start-varb-objectsyntax-string-overflow-fmtstring
F-01
2627
72
trap-start-varb-objectsyntax-string-overflow-extra-null
O-03, O-04
2699
158
trap-start-varb-objectsyntax-object-oid
O-05
2857
128
trap-start-varb-objectsyntax-number-integer
I-01, I-02, I-03
2985
568
trap-start-varb-objectsyntax-networkaddress-integer
I-01, I-02, I-03
3553
568
trap-start-varb-objectsyntax-counter-integer
I-01, I-02, I-03
4121
568
trap-start-varb-objectsyntax-gauge-integer
I-01, I-02, I-03
4689
568
trap-start-varb-objectsyntax-timeticks-integer
I-01, I-02, I-03
5257
568
trap-start-varb-objectsyntax-opaque-integer
I-01, I-02, I-03
5825
568
trap-start-varb-multiple
O-07, O-08
6393
68
trap-start-missing-data
M-01
6461
32
trap-link-varb-objectname-oid
O-05
6493
128
trap-link-varb-objectname-oid-invalid-index
O-06
6621
172
trap-link-varb-objectsyntax-string-overflow
O-01
6793
224
trap-link-varb-objectsyntax-string-overflow-fmtstring
F-01
7017
72
trap-link-varb-objectsyntax-string-overflow-extra-null
O-03, O-04
7089
158
trap-link-varb-objectsyntax-object-oid
O-05
7247
128
trap-link-varb-objectsyntax-number-integer
I-01, I-02, I-03
7375
568
trap-link-varb-objectsyntax-networkaddress-integer
I-01, I-02, I-03
7943
568
trap-link-varb-objectsyntax-counter-integer
I-01, I-02, I-03
8511
568
trap-link-varb-objectsyntax-gauge-integer
I-01, I-02, I-03
9079
568
trap-link-varb-objectsyntax-timeticks-integer
I-01, I-02, I-03
9647
568
trap-link-varb-objectsyntax-opaque-integer
I-01, I-02, I-03
10215
568
trap-link-varb-multiple
O-07, O-08
10783
68
trap-link-missing-data
M-01
10851
32
trap-authfail-varb-objectname-oid
O-05
10883
64
trap-authfail-varb-objectname-oid-invalid-index
O-06
10947
86
trap-authfail-varb-objectsyntax-string-overflow
O-01
11033
112
trap-authfail-varb-objectsyntax-string-overflow-fmtstring
F-01
11145
36
trap-authfail-varb-objectsyntax-string-overflow-extra-null
O-03, O-04
11181
79
trap-authfail-varb-objectsyntax-object-oid
O-05
11260
64
trap-authfail-varb-objectsyntax-number-integer
I-01, I-02, I-03
11324
284
trap-authfail-varb-objectsyntax-networkaddress-integer
I-01, I-02, I-03
11608
284
trap-authfail-varb-objectsyntax-counter-integer
I-01, I-02, I-03
11892
284
trap-authfail-varb-objectsyntax-gauge-integer
I-01, I-02, I-03
12176
284
trap-authfail-varb-objectsyntax-timeticks-integer
I-01, I-02, I-03
12460
284
trap-authfail-varb-objectsyntax-opaque-integer
I-01, I-02, I-03
12744
284
trap-authfail-varb-multiple
O-07, O-08
13028
34
trap-authfail-missing-data
M-01
13062
16
trap-neighloss-varb-objectname-oid
O-05
13078
64
trap-neighloss-varb-objectname-oid-invalid-index
O-06
13142
86
trap-neighloss-varb-objectsyntax-string-overflow
O-01
13228
112
trap-neighloss-varb-objectsyntax-string-overflow-fmtstring
F-01
13340
36
trap-neighloss-varb-objectsyntax-string-overflow-extra-null
O-03, O-04
13376
79
trap-neighloss-varb-objectsyntax-object-oid
O-05
13455
64
trap-neighloss-varb-objectsyntax-number-integer
I-01, I-02, I-03
13519
284
trap-neighloss-varb-objectsyntax-networkaddress-integer
I-01, I-02, I-03
13803
284
trap-neighloss-varb-objectsyntax-counter-integer
I-01, I-02, I-03
14087
284
trap-neighloss-varb-objectsyntax-gauge-integer
I-01, I-02, I-03
14371
284
trap-neighloss-varb-objectsyntax-timeticks-integer
I-01, I-02, I-03
14655
284
trap-neighloss-varb-objectsyntax-opaque-integer
I-01, I-02, I-03
14939
284
trap-neighloss-varb-multiple
O-07, O-08
15223
34
trap-neighloss-missing-data
M-01
15257
16
trap-enterprise-varb-multiple
O-07, O-08
15273
34
trap-enterprise-missing-data
M-01
15307
16
- Legend: [see first test-group table above]
Trap-Enc
- 8777 test-cases: Trap PDUs with encoding exceptions
- Test-groups in trap-enc
Name
Category
First index #
Test-cases
trap-coldstart-valid
valid
0
1
trap-warmstart-valid
valid
1
1
trap-linkdown-valid
valid
2
1
trap-linkup-valid
valid
3
1
trap-authenticationfailure-valid
valid
4
1
trap-egbneighborloss-valid
valid
5
1
trap-ber-t-class
E-02
6
84
trap-ber-t-number
E-04
90
559
trap-ber-l-length
E-01
649
1298
trap-ber-tlv-NULL
E-05
1947
312
trap-ber-tlv-BOOLEAN
E-06
2259
364
trap-ber-tlv-INTEGER
E-07
2623
390
trap-ber-tlv-OCTETSTRING
E-08
3013
312
trap-ber-tlv-BITSTRING
E-09
3325
286
trap-ber-tlv-REAL
E-13
3611
676
trap-ber-tlv-OBJECT-IDENTIFIER
E-12
4287
494
trap-ber-tlv-SEQUENCE-OF
E-10
4781
520
trap-ber-tlv-SET-OF
E-11
5301
416
trap-ber-tlv-ENUMERATED
E-14
5717
348
trap-ber-tlv-noise
E-15
6065
936
trap-extra-data-inside
E-17
7001
756
trap-extra-data-inside-varbind
E-17
7757
756
trap-extra-data-outside
E-17
8513
252
trap-missing-field
E-16
8765
12
Legend: [see first test-group table above]
Test-Material Default Values
- All test-cases have been initialized with default values listed below. One or more of the listed values are altered when exceptional elements are applied to the PDU.
- Default values used in req-app and req-enc:
- Version: 0
- Community: "public"
-
PDU-Type: GetRequest | GetNextRequest | SetRequest
- RequestID: test-case index
-
ErrorStatus: 0
-
ErrorIndex: 0
-
Single VarBind:
-
ObjectName: sys.SysName (1.3.6.1.2.1.1.5.0)
-
ObjectSyntax: empty (GetRequest, GetNextRequest) | 'c06-snmpv1' (SetRequest)
-
- Default values used in trap-app and trap-enc:
- Version: 0
- Community: "public"
- PDU-Type: Trap
- Enterprise: unix.agents.fourBSD-isode.21 (1.3.6.1.4.1.4.1.2.21)
- Agent-addr: 127.0.0.1
-
Generic-trap: ColdStart (0x00)
- Specific-trap: 0x00
- Time-stamp: test-case index
-
Single VarBind:
-
ObjectName: if.ifNumber (1.3.6.1.2.1.2.1.0)
-
ObjectSyntax: 0x21
-
Injection
- The test-tool provides communication rules for test-case injection. SNMPv1 PDUs can be injected using a simple UDP injector. Optionally, responses from the subject can be monitored.
Semantic Rules
- The test-tool provides semantic rules as method for augmenting the (already extended) BNF specification.
- SNMPv1 requires use of the basic encoding rules (BER) for formatting octets sent over the UDP over IP connection. BER is a simple encoding method and can be modeled with BNF except for the length fields. Semantic rules for encoding/decoding BER Integers and Object-Identifiers were developed for this test-suite.
Instrumentation
- With instrumentation on the target platform we are able to monitor for undesired behavior of the subject implementation. Typically this manifests as exceptions or signals such as 'access violation' or 'segmentation fault'. Unfortunately, the modern trend of abusing the try-catch -type of constructs easily masks the exceptions generated by stack and memory corruption. Catching these hidden exceptions relies on the debugging skills of the developers themselves.
- Zero-case instrumentation will be bundled with the test-material. In this rather crude method, a valid PDU (zero-case) that should result in a valid reply is sent to the subject between real test-cases until a response is received. Hence, if no response from the subject is detected, it has failed. This method is especially convenient when testing black-box hardware implementations. Unfortunately, zero-case instrumentation is not available with Trap-PDUs since implementations should never reply to the received traps.
Implementation
- Test-runs were conducted against the chosen set of sample implementations. Specifications, exceptional elements, semantic rules, injectors and instrumentation were integrated as a test-tool configuration to enable automatic execution of the tests.
Results from the Test-Runs
- Results from the test-runs are summarised herein. Tables below represent the observations from feeding the test-material against the chosen subject software. Product names of the actual subjects are omitted to protect the innocent. Results are presented in a tabular form with test-cases divided into test-groups based on the exceptional element types utilised and PDU fields under examination.
- Each failed test-case represents at minimum a denial of service type chance of exploiting the found vulnerability. In most cases, they represent memory corruption, stack corruption or other fatal error conditions. Some of these may lead exposure to typical buffer overflow exploits, allowing running of arbitrary code or modification of the target system.
- The recommendations for securing SNMP implementations presented in the Analysis section were tried against each sample implementation when suitable.
- Changing the community name worked only for some implementations, but not especially for those which had problems with exceptional community names. Network access control was soon discovered to be insufficient since UDP source address can be easily spoofed. Disabling the SNMP functionality worked usually when there was a possibility to do so. However, there was one implementation that continued to receive SNMP packets even after SNMP was disabled. It did not respond to valid SNMP requests, but crashed when certain test-cases were injected. All sample implementations accepted SNMPv1 packets sent to the network broadcast address, this is most likely due to nature of the typical bind() usage with INADDR_ANY address.
Test-Result Definitions
- In this test-suite, the 'failed' status is granted if any of the following criteria are met and a single test-case can be identified to be responsible of it:
- A fatal failure is triggered in a device causing it to stop functioning normally
- A SNMP process or a device crashes or hangs and needs to be restarted manually
- A SNMP process or a device crashes and restarts automatically
- A SNMP process consumes almost all CPU and/or memory resources for an exceptionally long or indefinite time
- If no single test-case can be identified but similar effects are observed, the status is 'inconclusive'.
- If the 'failed' status happens to be independent of SNMP community names, it is upgraded to 'failed unconditionally'. This is the worst status that can be given.
- In some cases, the subject gets corrupted so badly or is fundamentally so instable that there is no way to collect accurate test-results for the whole test-run. The untested regions are marked as 'unknown'.
- Otherwise, the status is 'passed'.
Test-Results by Test-Groups
- These tables show how effective different test-groups were in the test-runs. A test-group is marked failed if any single case or combination of cases cause the subject to fail. Note that if a subject fails in a format string (fmtstring) test-group, the failure may be triggered by a very long format string causing an overflow condition. Should implementation have failed format string category, but not previous overflow category, then implementation is more or very likely to contain real format string type of vulnerability.
- Observed failures for req-app test-groups
Test-group / Test-run #
001
002
003
004
005
006
007
008
...
.
.
.
.
.
.
.
.
get-req-communityname-overflow
-
-
U
-
-
U
-
-
get-req-communityname-overflow-fmtstring
-
-
U
-
-
U
-
-
get-req-communityname-overflow-extra-null
-
-
U
-
-
U
-
-
get-req-communityname-vlan-overflow
-
-
-
-
-
U
-
-
get-req-varb-objectname-oid
X
-
-
U
-
-
X
-
get-req-varb-objectname-oid-with-fmtstring
X
-
-
U
-
-
X
-
get-req-varb-objectname-oid-invalid-index
I
-
-
-
-
-
-
-
...
.
.
.
.
.
.
.
.
get-req-varb-sysname-object-oid
-
-
-
U
-
-
-
-
...
.
.
.
.
.
.
.
.
get-req-varb-multiple
X
-
-
-
-
-
-
-
...
.
.
.
.
.
.
.
.
getn-req-varb-objectname-oid
X
-
-
U
-
-
X
-
getn-req-varb-objectname-oid-with-fmtstring
X
-
-
U
-
-
X
-
getn-req-varb-objectname-oid-invalid-index
I
-
-
-
-
-
-
-
getn-req-varb-multiple
X
-
-
-
-
-
-
-
...
.
.
.
.
.
.
.
.
set-req-communityname-overflow
-
-
U
-
-
U
-
-
set-req-communityname-overflow-fmtstring
-
-
U
-
-
U
-
-
set-req-communityname-overflow-extra-null
-
-
U
-
-
U
-
-
set-req-communityname-vlan-overflow
-
-
-
-
-
U
-
-
set-req-varb-objectname-oid
-
-
-
U
-
-
-
-
set-req-varb-objectname-oid-with-fmtstring
-
-
-
U
-
-
-
-
...
.
.
.
.
.
.
.
.
set-req-varb-sysname-object-oid
-
-
-
U
-
-
-
-
...
.
.
.
.
.
.
.
.
Legend:- nnn: Each different test-run (tr-nnn) represents a different tested implementation.
- X: Verdict is failed
- U: Verdict is failed unconditionally (no need-to-know a valid community name)
- I: Verdict is inconclusive
- -: Verdict is passed
- Observed failures for req-enc test-groups
Test-group / Test-run #
001
002
003
004
005
006
007
008
...
.
.
.
.
.
.
.
.
get-req-ber-l-length
-
-
U
-
X
-
U
U
...
.
.
.
.
.
.
.
.
get-req-ber-tlv-OBJECT-IDENTIFIER
-
-
-
-
-
-
X
-
...
.
.
.
.
.
.
.
.
get-req-ber-tlv-noise
-
-
-
-
-
-
X
-
...
.
.
.
.
.
.
.
.
getn-req-ber-l-length
-
-
U
-
X
-
X
U
...
.
.
.
.
.
.
.
.
getn-req-ber-tlv-OBJECT-IDENTIFIER
-
-
-
-
-
-
X
-
...
.
.
.
.
.
.
.
.
getn-req-ber-tlv-noise
-
-
-
-
-
-
X
-
...
.
.
.
.
.
.
.
.
set-req-ber-t-number
-
-
U
-
-
-
-
-
set-req-ber-l-length
-
-
U
-
X
-
-
-
...
.
.
.
.
.
.
.
.
set-req-ber-tlv-BITSTRING
-
-
U
-
-
-
-
-
...
.
.
.
.
.
.
.
.
Legend: [see first result table above] - Observed failures for trap-app test-groups
Test-group / Test-run #
009
010
011
012
...
.
.
.
.
trap-enterprise-oid
-
-
-
I
...
.
.
.
.
trap-start-varb-objectsyntax-string-overflow
-
U
U
-
...
.
.
.
.
trap-start-varb-objectsyntax-string-overflow-extra-null
-
U
-
-
trap-start-varb-objectsyntax-object-oid
U
-
-
-
...
.
.
.
.
trap-start-varb-objectsyntax-opaque-integer
-
U
U
-
trap-start-varb-multiple
U
U
-
-
...
.
.
.
.
trap-link-varb-objectsyntax-string-overflow
-
U
U
-
...
.
.
.
.
trap-link-varb-objectsyntax-string-overflow-extra-null
-
U
-
-
trap-link-varb-objectsyntax-object-oid
U
-
-
-
...
.
.
.
.
trap-link-varb-objectsyntax-opaque-integer
-
U
U
-
trap-link-varb-multiple
U
U
-
-
...
.
.
.
.
trap-authfail-varb-objectsyntax-string-overflow
-
U
U
-
...
.
.
.
.
trap-authfail-varb-objectsyntax-string-overflow-extra-null
-
U
-
-
trap-authfail-varb-objectsyntax-object-oid
U
-
-
-
...
.
.
.
.
trap-authfail-varb-objectsyntax-opaque-integer
-
U
U
-
trap-authfail-varb-multiple
U
U
-
-
...
.
.
.
.
trap-neighloss-varb-objectsyntax-string-overflow
-
U
U
-
...
.
.
.
.
trap-neighloss-varb-objectsyntax-string-overflow-extra-null
-
U
-
-
trap-neighloss-varb-objectsyntax-object-oid
U
-
-
-
...
.
.
.
.
trap-neighloss-varb-objectsyntax-opaque-integer
-
U
U
-
trap-neighloss-varb-multiple
U
U
-
-
...
.
.
.
.
trap-enterprise-varb-multiple
U
U
-
-
...
.
.
.
.
- Legend: [see first result table above]
- Observed failures for trap-enc test-groups
Test-group / Test-run #
009
010
011
012
trap-ber-t-class
-
-
U
-
trap-ber-t-number
-
-
U
-
trap-ber-l-length
U
-
U
-
...
.
.
.
.
trap-ber-tlv-BOOLEAN
-
-
U
I
...
.
.
.
.
trap-ber-tlv-OCTETSTRING
-
U
-
-
trap-ber-tlv-BITSTRING
-
U
U
-
trap-ber-tlv-REAL
-
-
U
-
trap-ber-tlv-OBJECT-IDENTIFIER
-
U
-
-
trap-ber-tlv-SEQUENCE-OF
-
U
U
I
trap-ber-tlv-SET-OF
-
U
U
-
trap-ber-tlv-ENUMERATED
-
-
U
I
trap-ber-tlv-noise
-
-
U
-
...
.
.
.
.
Legend: [see first result table above]
Test-Results Summary
- The results are further summarised in the tables below. Results summary for req-app
Test-run #
Total test-cases
Failed test-cases
Total groups
Failed groups
tr-001
10601
N
61
8
tr-002
10601
0
61
0
tr-003
10601
13
61
6
tr-004
10601
16
61
8
tr-005
10601
0
61
0
tr-006
10601
224
61
8
tr-007
10601
57
61
4
tr-008
10601
0
61
0
Legend:- N: We were unable to determine the exact number of failures. See the more detailed tables above.
- Results summary for req-enc
Test-run #
Total test-cases
Failed test-cases
Total groups
Failed groups
tr-001
18915
0
57
0
tr-002
18915
0
57
0
tr-003
18915
N
57
5
tr-004
18915
0
57
0
tr-005
18915
4
57
3
tr-006
18915
0
57
0
tr-007
18915
N
57
5
tr-008
18915
10
57
2
Legend: [see first summary table above] - Results summary for trap-app
Test-run #
Total test-cases
Failed test-cases
Total groups
Failed groups
tr-009
15323
N
76
9
tr-010
15323
166
76
17
tr-011
15323
12
76
8
tr-012
15323
N
76
1
Legend: [see first summary table above] - Results summary for trap-enc
Test-run #
Total test-cases
Failed test-cases
Total groups
Failed groups
tr-009
8777
5
24
1
tr-010
8777
24
24
5
tr-011
8777
N
24
10
tr-012
8777
N
24
3
Legend: [see first summary table above]
Verification via Exploits
- To support the vulnerability reporting process, typically one exploit per implementation is refined and included in the respective vulnerability report. The exploit is only intended for demonstration purposes and is harmless as it is. Simplest of them only executes some harmless commands in the target system, typically with the privileges of the vulnerable process. Some only provide a demonstration by causing a Denial of Service (DoS) against the software. Buffer overflow exploits allowing execution of arbitrary code were demonstrated against:
- One SNMP master agent bundled in an embedded firewall and VPN appliance
- Two SNMP master agents bundled as part of the operating systems in question
- One SNMP trap listener bundled as part of the operating system in question
- Two add-on trap listeners available as parts of SNMP management frameworks
Test-Material Package
Package Information
-
The test-material is distributed as four JAR packages, two for Request-PDUs (GetRequest, GetNextRequest and SetRequest) and two for Trap-PDUs. Of the two JAR packages for given PDU type one contains the application part and the other the BER encoding part of test-cases. Each package comprises of the following elements:
- Test-cases (PDUs), located in testcases/ directory
- Java code (source and compiled) for feeding the test-cases against the system under test
- LICENSE.TXT - GNU General Public License (GPL) version 2
- README.TXT - Short instructions
Licence and Copyright
- The test-material is licensed under GNU General Public License (GPL) version 2, at no charge. This is done in order to ensure that vendors and their customers may freely utilise the test-material. Standard GPL terms for no warranty and no liability apply.
-
We recommend some additional guidelines, although these do not restrict the test-material licence. These guidelines can be found from the "test-suite releases in Theory and Practice" document.
Usage
- A prerequisite for using the test-material is a properly configured SNMPv1 implementation, preferably not in an open network.
- The test-material can be used either with the bundled injection code [Using with Java] or with an external injector [Using single test-cases].
Using with Java
-
Java Runtime is a prerequisite for running the bundled Java code. This package has been tested on Java 2 Platform, Standard Edition (J2SE ). [10]
- Usage examples for the injection code bundled in the JAR packages:
- java -jar c06-snmpv1-req-app-r1.jar -help
- This command displays the built-in help for the available command line options. Options such as selecting the zero-case instrument, a specific range of test-cases, showing the reply from subject or non-standard destination port are high-lighted therein.
-
java -jar c06-snmpv1-req-app-r1.jar -host hostname -single
-showreply - Send the req-app test-case index into SNMP server hostname port 161 and show reply from the server (if any). Please note that -showreply is not relevant with SNMP traps.
- java -jar c06-snmpv1-req-app-r1.jar -host hostname -delay 1000
- Send all req-app test-cases into SNMP server hostname port 161 with a delay of 1000 milliseconds between each case.
- java -jar c06-snmpv1-req-app-r1.jar -host hostname -zerocase
- Run all req-app test-cases into SNMP server hostname port 161. A valid zero-case (test-case# 0) is injected between the real test-cases and a reply to it is awaited for. Please note that -zerocase switch works only with Request-PDUs, SNMPv1 trap handling does not involve responses.
Using without Java
- The test-cases (PDUs) are in raw binary format and can be used by any suitable delivery software, such as nc (netcat). The individual test-cases can be extracted from the JAR package with tools such as unzip, Winzip or jar. Refer to the manual pages and product documentation of the respective tools for additional information.
Download
Request Material
- These JAR packages contain the req-app and req-enc test-material and the corresponding PGP signatures.
-
c06-snmpv1-req-app-r1.jar (req-app test-material)
-
c06-snmpv1-req-app-r1.jar.asc (req-app detached PGP signature)
-
c06-snmpv1-req-enc-r1.jar (req-enc test-material)
-
c06-snmpv1-req-enc-r1.jar.asc (req-enc detached PGP signature)
-
Trap Material
- These JAR packages contain the trap-app and trap-enc test-material and the corresponding PGP signatures.
-
c06-snmpv1-trap-app-r1.jar (trap-app test-material)
-
c06-snmpv1-trap-app-r1.jar.asc (trap-app detached PGP signature)
-
c06-snmpv1-trap-enc-r1.jar (trap-enc test-material)
-
c06-snmpv1-trap-enc-r1.jar.asc (trap-enc detached PGP signature)
-
Notes
- Be sure to check which PDU types the subject accepts. Zero-case instrument requires that the subject has a properly configured 'public' SNMP read community. Otherwise the subject will not respond to valid test-cases. However, if you want to test a subject with a different community, the default zero-case (test-case# 0) can be replaced. Using a hex editor, 'public' can be changed to 'foobar' and because they have the same length, the packet validity is preserved. Remember that zero-case instrumentation works only with Request-PDU packages, because SNMP traps are never replied to.
- For the best possible replication of results gathered by us, request JAR test-cases should be ran using switches -zerocase and -showreply. For the trap JARs no additional switches except for the -host should be used. This ensures that timeouts and configuration options match as far as possible those used in our test-runs. As mentioned earlier, community name 'public' was used as read community and no write community was defined.
- Sending test-cases with different timeouts, in different order and so on may reveal error modes we did not notice. Also, setting write community to public or read community to something other than public are likely to have significant effect on results and possible error modes observed.
Conclusions
- The initial results from the c06-snmpv1 tests indicate that implementation errors plague several SNMP products. None from the sample of twelve implementations survived the test-material. This is most alarming since SNMPv1 is widely used in critical parts of network infrastructure.
- Attempts to secure the sample implementations from the found vulnerabilities produced various results. Applying device based access control to SNMP traffic was mostly useless since spoofing the UDP source address is simple. All sample implementations by default accepted SNMP packets sent to the network broadcast address, and this lessens the effort needed to exploit the vulnerabilities. A potential attacker does not need to know the actual IP-addresses of his targets and can in worst case use a single broadcast packet to compromise a whole network without ever having to find out a valid SNMP community name. In some cases, SNMP could not be fully disabled and there was no other way to secure an implementation than to plug it off the network.
- Since the test-material can discover only a fraction of potential implementation errors, it is likely that we have simply touched the tip of the iceberg. We hope that a wide adoption of this test-suite will raise the overall quality of SNMP products and will help implementors to fix also those vulnerabilities not directly addressed by it.
Acknowledgments
-
We wish to express our gratitude to individual vendors who worked with us to protect their customers. We are in debt to Sonera Corporation for providing us facilities and support in determing the impact of the test-suite. Last, but not least, we are grateful to CERT/CC for their patient help, advice and active role during the vulnerability process. We admire CERT/CC's ability and sacrifice in handling the complexity of the issue, number of the vendors involved and the resulting flood of communication during extended time-frame spanning several months.
Vulnerability Management
Prior Public Vulnerabilities
- The most common sources for vulnerability information and exploits were covered and cross checked for potential and already known vulnerabilities in the implementations of the chosen protocol. Typical sources for finding out about existing vulnerabilities are databases and mailing-lists. Search-engines may also reveal information on past vulnerabilities.
The Vulnerability Process
-
During the prerelease phase all verified vulnerabilities were reported to the respective vendors. The vulnerability reports were tracked by the CERT/CC in role of an independent coordinator and advisor. [11] Due to potentially large number of vendors affected, an attempt to establish a channel for discussion and test-material distribution was made with CERT/CC.
Advisories and Vendor Statements
- Vendor statements or security advisories issued in order to address the vulnerabilities uncovered by this test-suite are collected. Advisories that we are aware of are listed here-in:
-
[CERT/CC 2002-02-12 ] CERT? Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)
-
References
-
[1] "Open Directory Project : Top : Computers : Internet : Protocols". Open directory project. http://dmoz.org/Computers/Internet/Protocols/desc.html.
[2] Case, J; Fedor, M; Schoffstall, M & Davin J. (1990). "A Simple Network Management Protocol (SNMP)". The Internet Engineering Task Force. http://www.ietf.org/rfc/rfc1157.txt.
[3] "The Internet Engineering Task Force". http://www.ietf.org/.
[4] "comp.protocols.snmp SNMP FAQ". http://www.faqs.org/faqs/snmp-faq/.
[5] Stevens, Richard W. TCP/IP Illustrated, Volume 1. (1994). Addison-Wesley. ISBN: 0-201-63346-9.
[6] Larmouth, John. ASN.1 Complete. (1999). Morgan Kaufmann. http://www.oss.com/asn1/larmouth.html. ISBN: 0-12233-435-3.
[7] "The SimpleWeb". http://www.simpleweb.org/.
[8] "SNMPLink.org". http://www.snmplink.org/.
[9] "SNMPWorld". http://silver.he.net/~rrg/snmpworld.htm.
[10] "Java 2 Platform, Standard Edition (J2SE)". http://java.sun.com/j2se/1.3/.
[11] "CERT/CC". http://www.cert.org/.
Appendix A: Guidelines for Securing SNMP
- As part of the analysis for the PROTOS c06-snmpv1 test-suite, some guidelines for securing specific SNMP implementations were reviewed.
- Securing SNMP on Solaris
-
http://ist.uwaterloo.ca/security/howto/2000-10-04/
-
http://www.sans.org/infosecFAQ/incident/SNMP.htm
-
http://www.sans.org/infosecFAQ/netdevices/router.htm
-
http://www.nwfusion.com/newsletters/sec/1004sec1.html
-
http://www.securityfocus.com/focus/microsoft/2k/snmp.html
-
- Securing SNMP on Solaris
Appendix B: Related Test-Suites
- A survey of other existing test-suites related to SNMP was conducted. The found test-suites focused on rather semantical issues, with no or only some syntax testing material.
-
http://www.iwl.com
-
"InterWorking Labs provides SilverCreek(R), the SNMP Test-Suite, for software engineers to find and fix bugs in their SNMP agent implementations. With nearly 1,000 tests available for SNMPv1, v2, v3, and semantic tests for RMON1, RMON2, and the Printer MIB, InterWorking Labs has revolutionised the process of testing network products."
-
-
http://www.smplsft.com/stest.html
-
"SimpleTester is an easy to use test tool that automatically tests SNMPv1, SNMPv2C and SNMPv3 agents. Using this tool you can exhaustively test agents implementing standard and enterprise specific MIBs within minutes. Over 800 semantic validation tests for popular MIBs like MIB-II, mini-RMON and SNMPv3 are included with source code. Utilities like MIB browser, Trap Checker and Script Generator, along with scripting support for Telnet and Serial I/O is also present."
-