ID CVE-2000-0147 Type cve Reporter NVD Modified 2008-09-05T16:20:15
Description
snmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration.
{"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0147", "history": [], "references": ["http://www.securityfocus.com/bid/973", "http://archives.neohapsis.com/archives/bugtraq/2000-02/0045.html", "ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a"], "lastseen": "2016-09-03T02:34:14", "bulletinFamily": "NVD", "title": "CVE-2000-0147", "cpe": ["cpe:/o:sco:openserver:5.0.5"], "viewCount": 8, "id": "CVE-2000-0147", "hash": "4999c3942edc4eecfaf0b2a3c7dfacf5b9b384b110a2e892a79d2afb22917e9c", "description": "snmpd in SCO OpenServer has an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration.", "edition": 1, "assessment": {"name": "", "href": "", "system": ""}, "cvelist": ["CVE-2000-0147"], "scanner": [], "modified": "2008-09-05T16:20:15", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "objectVersion": "1.2", "reporter": "NVD", "type": "cve", "published": "2000-02-08T00:00:00", "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2016-09-03T02:34:14"}, "dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:8807"]}, {"type": "nessus", "idList": ["SNMP_DEFAULT_COMMUNITIES.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231010264"]}], "modified": "2016-09-03T02:34:14"}, "vulnersScore": 2.1}}
{"osvdb": [{"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nPacket Storm: http://packetstormsecurity.nl/0002-exploits/sco.snmpd.txt\nISS X-Force ID: 4274\n[CVE-2000-0147](https://vulners.com/cve/CVE-2000-0147)\nBugtraq ID: 973\n", "modified": "2000-02-08T00:00:00", "published": "2000-02-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8807", "id": "OSVDB:8807", "type": "osvdb", "title": "SCO OpenServer snmpd Writeable Community String", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:07:39", "bulletinFamily": "scanner", "description": "It is possible to obtain the default community names of the remote SNMP server.\n\nAn attacker can use this information to gain more knowledge about the remote host or to change the configuration of the remote system (if the default community allows such modifications).", "modified": "2018-07-30T00:00:00", "id": "SNMP_DEFAULT_COMMUNITIES.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10264", "published": "2002-11-25T00:00:00", "title": "SNMP Agent Default Community Names", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\n#\n# Thanks to the following persons for having sent additional\n# SNMP communities over time :\n#\n# Javier Fernandez-Sanguino, Axel Nennker and the following references :\n#\n# From: Raphael Muzzio (rmuzzio_at_ZDNETMAIL.COM)\n# Date: Nov 15 1998\n# To: bugtraq@securityfocus.com\n# Subject: Re: ISS Security Advisory: Hidden community string in SNMP\n# (http://lists.insecure.org/lists/bugtraq/1998/Nov/0212.html)\n#\n# Date: Mon, 5 Aug 2002 19:01:24 +0200 (CEST)\n# From:\"Jacek Lipkowski\" <sq5bpf@andra.com.pl>\n# To: bugtraq@securityfocus.com\n# Subject: SNMP vulnerability in AVAYA Cajun firmware\n# Message-ID: <Pine.LNX.4.44.0208051851050.3610-100000@hash.intra.andra.com.pl>\n#\n# From:\"Foundstone Labs\" <labs@foundstone.com>\n# To: da@securityfocus.com, vulnwatch@vulnwatch.org\n# Subject: Foundstone Labs Advisory - Information Leakage in Orinoco and Compaq Access Points\n# Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC476B0@MISSION.foundstone.com>\n#\n# CC:da@securityfocus.com, vulnwatch@vulnwatch.org\n# To:\"Foundstone Labs\" <labs@foundstone.com>\n# From:\"Rob Flickenger\" <rob@oreillynet.com>\n# In-Reply-To: <9DC8A3D37E31E043BD516142594BDDFAC476B0@MISSION.foundstone.com>\n# Message-Id: <D8F6A4EC-ABE3-11D6-AF54-0003936D6AE0@oreillynet.com>\n# Subject: Re: [VulnWatch] Foundstone Labs Advisory - Information Leakage in Orinoco and Compaq Access Points\n#\n# http://www.securityfocus.com/archive/1/313714/2003-03-01/2003-03-07/0\n# http://www.nessus.org/u?b471b647\n#\n\nif (description)\n{\n script_id(10264);\n script_version(\"1.107\");\n script_cvs_date(\"Date: 2018/07/30 15:31:32\");\n\n script_cve_id(\n \"CVE-1999-0186\",\n \"CVE-1999-0254\",\n \"CVE-1999-0472\",\n \"CVE-1999-0516\",\n \"CVE-1999-0517\",\n \"CVE-1999-0792\",\n \"CVE-2000-0147\",\n \"CVE-2001-0380\",\n \"CVE-2001-0514\",\n \"CVE-2001-1210\",\n \"CVE-2002-0109\",\n \"CVE-2002-0478\",\n \"CVE-2002-1229\",\n \"CVE-2004-0311\",\n \"CVE-2004-1474\",\n \"CVE-2010-1574\"\n );\n script_bugtraq_id(\n 177,\n 973,\n 986,\n 2112,\n 3758,\n 3795,\n 3797,\n 4330,\n 6825,\n 7081,\n 7212,\n 7317,\n 9681,\n 10576,\n 11237,\n 41436\n );\n script_xref(name:\"CERT\", value:\"732671\");\n script_xref(name:\"EDB-ID\", value:\"20892\");\n\n script_name(english:\"SNMP Agent Default Community Names\");\n script_summary(english:\"Checks default community names of the SNMP agent.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n \"The community names of the remote SNMP server can be guessed.\");\n script_set_attribute(attribute:\"description\",value:\n\"It is possible to obtain the default community names of the remote\nSNMP server.\n\nAn attacker can use this information to gain more knowledge about the\nremote host or to change the configuration of the remote system (if\nthe default community allows such modifications).\");\n script_set_attribute(attribute:\"solution\",value:\n\"Disable the SNMP service on the remote host if you do not use it,\nfilter incoming UDP packets going to this port, or change the default\ncommunity string.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1998/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/11/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:snmp:snmp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SNMP\");\n\n script_dependencies(\"find_service2.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_timeout(540); # max number of community names to test * 10.\n exit(0);\n}\n\ninclude (\"global_settings.inc\");\ninclude (\"misc_func.inc\");\ninclude (\"snmp_func.inc\");\ninclude (\"audit.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\n# if we don't know which versions of SNMP are supported, try both v2c and v1.\n# Protect against the fact that this host may be configured for SNMPv3 auth.\nif ( get_kb_item(\"SNMP/version\") )\n{\n if ( get_kb_item(\"SNMP/version_v1\") )\n vers = make_list(0);\n else\n vers = make_list(1);\n}\nelse vers = make_list(1, 0);\n\nport = get_kb_item(\"SNMP/port\");\nif(!port){\n\tport = 161;\n\tsnmp_not_detected = TRUE;\n\t}\nif (! get_udp_port_state(port)) exit(0, \"UDP port \"+port+\" is not open.\");\n\n# CS-21187: privat, German for private\ndefault = make_list(\"private\", \"privat\", \"public\", \"cisco\");\nextra = make_list(\n \"0392a0\",\n \"ANYCOM\",\n \"Cisco router\",\n \"ILMI\",\n \"NoGaH$@!\",\n \"OrigEquipMfr\",\n \"Secret C0de\",\n \"TENmanUFactOryPOWER\",\n \"admin\",\n \"agent\",\n \"agent_steal\",\n \"all\",\n \"all private\",\n \"apc\",\n \"blue\",\n \"c\",\n \"cable-docsis\",\n \"cascade\",\n \"cc\",\n \"comcomcom\",\n \"community\",\n \"core\",\n \"default\",\n \"diag\",\n \"freekevin\",\n \"fubar\",\n \"guest\",\n \"hp_admin\",\n \"ilmi\",\n \"internal\",\n \"localhost\",\n \"manager\",\n \"manuf\",\n \"monitor\",\n \"openview\",\n \"password\",\n \"proxy\",\n \"regional\",\n \"riverhead\",\n \"rmon\",\n \"rmon_admin\",\n \"secret\",\n \"security\",\n \"snmp\",\n \"snmpd\",\n \"system\",\n \"test\",\n \"tivoli\",\n \"write\",\n \"xyzzy\",\n \"yellow\"\n);\nif (thorough_tests) default = make_list(default, extra);\n\n\ncomm_list = \"\";\ncomm_number = 0;\nforeach community (default)\n{\n soc[community] = open_sock_udp(port);\n if (!soc[community]) continue;\n}\n\n\nfor ( i = 0 ; i < 2 ; i ++ )\n{\n foreach community ( default )\n {\n foreach ver ( vers )\n {\n set_snmp_version( version:ver );\n\n if ( isnull(soc[community]) ) continue;\n rep = snmp_request_next(socket:soc[community], timeout:1 + i, community:community, oid:\"1.3\");\n if (!isnull(rep))\n {\n if (\n # Sun ...\n (rep[1] != \"/var/snmp/snmpdx.st\") && (rep[1] != \"/etc/snmp/conf\") &&\n # HP MSL 8048\n \"1.3.6.1.2.1.11.6.0\" != rep[0]\n )\n {\n set_kb_item(name:\"SNMP/default/community\", value:community);\n comm_list += strcat(' - ' + community + '\\n');\n comm_number++;\n }\n close(soc[community]);\n soc[community] = NULL;\n }\n }\n\n # once we've received a response, keep using the same SNMP version in all remaining requests\n if (!isnull(rep)) vers = make_list(ver);\n }\n}\n\nforeach community (keys(soc) )\n{\n if ( !isnull(soc[community]) ) close(soc[community]);\n}\n\n\n# We're done with actual sends, so set the SNMP_VERSION back, if needed.\nreset_snmp_version();\n\nif (comm_number > 0)\n{\n if (comm_number > 5)\n report = string (\n \"\\n\",\n \"The remote SNMP server replies to more than 5 default community\\n\",\n \"strings. This may be due to a badly configured server or an SNMP\\n\",\n \"server on a printer.\"\n );\n else\n {\n if (comm_number == 1) s = \"\";\n else s = \"s\";\n report = string (\n \"\\n\",\n \"The remote SNMP server replies to the following default community\\n\",\n \"string\", s, \" :\\n\",\n \"\\n\",\n comm_list\n );\n }\n\n\n if ( snmp_not_detected ) register_service( port:161, proto:\"snmp\", ipproto:\"udp\");\n\n\n if (comm_number != 1 || (comm_number == 1 && \"public\" >!< comm_list))\n security_hole(port:port, extra:report, protocol:\"udp\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-09-01T23:53:20", "bulletinFamily": "scanner", "description": "Simple Network Management Protocol (SNMP) is a protocol\n which can be used by administrators to remotely manage a computer or network device. There\n are typically 2 modes of remote SNMP monitoring. These modes are roughly ", "modified": "2017-09-29T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:136141256231010264", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010264", "title": "Report default community names of the SNMP Agent", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_snmp_get_community.nasl 7319 2017-09-29 06:17:27Z cfischer $\n#\n# Report default community names of the SNMP Agent\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10264\");\n script_cve_id(\"CVE-1999-0472\", \"CVE-1999-0516\", \"CVE-1999-0517\", \"CVE-1999-0792\",\n \"CVE-2000-0147\", \"CVE-2001-0380\", \"CVE-2001-0514\", \"CVE-2001-1210\",\n \"CVE-2002-0109\", \"CVE-2002-0478\", \"CVE-2002-1229\", \"CVE-2004-1474\",\n \"CVE-2004-1775\", \"CVE-2004-1776\", \"CVE-2011-0890\", \"CVE-2012-4964\",\n \"CVE-2014-4862\", \"CVE-2014-4863\", \"CVE-2016-1452\", \"CVE-2016-5645\",\n \"CVE-2017-7922\");\n # nb: CVEs about default communities. Those are currently commented out as they would\n # increase the CVSS to 10.0:\n # \"CVE-1999-0186\", \"CVE-1999-0254\", \"CVE-2004-0311\", \"CVE-2006-4950\", \"CVE-2010-1574\", \"CVE-2010-2976\", \"CVE-2016-1473\"\n script_bugtraq_id(177, 973, 986, 2112, 2896, 3758, 3795, 3797, 4330, 5030, 5965,\n 7081, 7212, 7317, 9681, 11237, 20125, 41436, 46981, 91756,\n 92428, 99083);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 7319 $\");\n script_name(\"Report default community names of the SNMP Agent\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-29 08:17:27 +0200 (Fri, 29 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 10:10:24 +0100 (Wed, 12 Mar 2014)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"SNMP\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"snmp_detect.nasl\");\n script_require_udp_ports(\"Services/udp/snmp\", 161);\n script_mandatory_keys(\"SNMP/v12c/detected_community\");\n\n script_tag(name:\"impact\", value:\"If an attacker is able to guess a PUBLIC community string,\n they would be able to read SNMP data (depending on which MIBs are installed) from the remote\n device. This information might include system time, IP addresses, interfaces, processes\n running, etc.\n\n If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall'\n access), they will have the ability to change information on the remote machine.\n This could be a huge security hole, enabling remote attackers to wreak complete\n havoc such as routing network traffic, initiating processes, etc. In essence,\n 'writeall' access will give the remote attacker full administrative rights over\n the remote machine.\n\n Note that this test only gathers information and does not attempt to write to\n the remote device. Thus it is not possible to determine automatically whether\n the reported community is public or private.\n\n Also note that information made available through a guessable community string\n might or might not contain sensitive data. Please review the information\n available through the reported community string to determine the impact of this\n disclosure.\");\n\n script_tag(name:\"solution\", value:\"Determine if the detected community string is a private\n community string. Determine whether a public community string exposes sensitive information.\n Disable the SNMP service if you don't use it or change the default community string.\");\n\n script_tag(name:\"summary\", value:\"Simple Network Management Protocol (SNMP) is a protocol\n which can be used by administrators to remotely manage a computer or network device. There\n are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE'\n (or PUBLIC and PRIVATE).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"snmp_func.inc\");\n\nport = get_snmp_port( default:161 );\n\ncos = make_list( get_kb_list( \"SNMP/\" + port + \"/v12c/detected_community\" ) );\nif( ! cos ) exit( 99 );\n\n# If snmp_default_communities.nasl is detecting more then four different communities there might be something wrong...\nif( get_kb_item( \"SNMP/\" + port + \"/v12c/all_communities\" ) ) exit( 0 );\n\nreport = 'SNMP Agent responded as expected when using the following community name:\\n\\n';\n\n# Sort to not report changes on delta reports if just the order is different\ncos = sort( cos );\n\nforeach co( cos ) {\n report += co + '\\n';\n vuln = TRUE;\n}\n\nif( vuln ) {\n security_message( port:port, data:report, proto:\"udp\" );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
