Oulun yliopisto - Etusivulle University of Oulu in English

ee.oulu.fi

Electrical and Information Engineering

Faculty of Technology > Electrical and Information Engineering > Computer Engineering Laboratory


OUSPG

[This page is CSS2 enabled. Your browser might not fully support it]

PROTOS Test-Suite: c06-snmpv1

$RCSfile: index.html,v $ $Revision: 1.141 $ $Date: 2002/10/17 18:58:44 $
Permission is hereby granted for quoting, reprinting and redistributing
this document, provided that a link to this document is given, and all
changes made are clearly separated from the original text.

ABSTRACT

The Simple Network Management Protocol (SNMP) enables monitoring and configuration of network nodes. The venerable SNMP is almost omni-present amongst a wide variety networked devices ranging from Internet gateways to information appliances. The SNMP version one (SNMPv1) was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. A survey of the related standards was made. Test-material was prepared and tests were carried out against a sample set of existing implementations. Results were gathered and reported. Many of the implementations available for evaluation failed to perform in a robust manner under test. Some failures had information security implications, and should be considered as vulnerabilities. In order to achieve a robustness baseline for SNMPv1 products this test-material should be adopted for their evaluation and development.

Table of Contents

Introduction

This test-suite is a byproduct of the "PROTOS - Security Testing of Protocol Implementations" project. Important: Background, goals, limitations, terminology and licensing for this test-suite release are explained in the "Test-suite releases in Theory and Practice" document.

This test-suite covers a limited set of information security and robustness related implementation errors for a subset of the chosen protocol. The subject protocol and the chosen subset of it are illustrated in the "Analysis" section below.

Analysis

"SNMP is a communication protocol that has gained widespread acceptance since 1993 as a method of managing TCP/IP works, including individual network devices, and devices in aggregate. SNMP was developed by the IETF (Internet Engineering Task Force), and is applicable to any TCP/IP network, as well as other types of networks." - Open Directory Project [1]

"The Internet Activities Board recommends that all IP and TCP implementations be network manageable." - RFC1157 [2]

The purpose of this test-suite is to evaluate implementation level security and robustness of Simple Network Management Protocol (SNMP) implementations. The factors behind choosing SNMP included:

  • SNMP is widely adopted for managing IP networks, including individual network devices, and devices in aggregate. In other words - there are plenty of different implementations and a myriad of installations. Moreover, even if the SNMP is not in active use inside a network, it may be lying dormant on individual devices by virtue of being included in default configurations.
  • A SNMP manageable devices may be critical for the network infrastructure. Even a denial-of-service attack against such of a device may have serious implications. Therefore locating and fixing common implementation errors should be encouraged.
  • Robustness problems in decoding exceptional BER encoding may lead to situation where application level authentication based access control is ineffective since errors may reside in code that will be involved in parsing the packets before authentication takes place.
  • Since SNMP has been around for a relatively long time implementations should have had time to mature, making them more robust against implementation type errors. Evaluating such mature products should provide us useful feedback on the current state of implementation level robustness in general.

In this test-suite, the focus was set on the certain protocol data units (PDUs), namely requests (GetRequest, GetNextRequest and SetRequest) and traps. The protocol version one (SNMPv1) was chosen. Rationale behind these selections:

  • SNMP agents and trap-aware SNMP managers are by design ready to accept incoming requests and traps without prior session setup. These expose a natural attack vector that should be scrutinized with top priority.
  • All SNMP implementations must support SNMPv1. Moreover, newer versions of the protocol (SNMPv2[p,c,u] and SNMPv3) should be considered as protocols of their own due to the changes in the management paradigm.
  • SNMPv1 has a less complicated structure in comparison to the newer versions. This enables us to concentrate on other things than the protocol specification. Thus, we could expect a test-suite of good quality and coverage.
  • Although SNMPv1 is a venerable protocol, it has no popular and public syntax testing material aimed against robustness problems.
  • Due the widespread nature of SNMPv1, there are plenty of implementations by several vendors available for testing, including equipment that are a critical part of the core Internet infrastructure.

In order to understand the typical deployment scenarios of SNMPv1, some guidelines for securing specific SNMP implementations were reviewed (see Appendix A). Typical recommendations are summarized below in no particular order:

  • A. Choose non-default community names.
  • B. Apply perimeter filtering to SNMP traffic.
  • C. Apply SNMP device based network access control to filter the traffic.
  • D. Isolate SNMP into a separate management VLAN.
  • E. Disable the SNMP functionality if it is not needed.

Assuming recommendation (A) to be the most widely adopted measure, the impact of new potential SNMPv1 vulnerabilities can be roughly categorised based on the dependency on the need-to-know the chosen community names (the authentication scheme). A vulnerability can occur:

  • 1. independently of the community name (greatest impact)
  • 2. with a known read-only community name
  • 3. with a known read-write community name (smallest impact)

The second category was chosen as the initial test-strategy. If a vulnerability is discovered by using a known read-only community name, then it will be verified in context where a correct community name is unknown. Many SNMPv1 implementations appear to use default community names that are well-known, such as 'public'. This fact increases the impact of vulnerabilities in the last two categories.

A survey of pre-existing test-suites was made (see Appendix B). None of the identified test-suites were found to be robustness related, and thus do not contribute in this context.

Design

Standard Survey

The available standards specifying the selected protocol have to be studied, and analysed. The relevant protocol specifications are listed in the table below.

Only the relevant SNMP specifications are listed. Several specifications regarding newer SNMP versions and extensions are left out but are available from IETF. [3]

SNMPv1 Standard survey
Name Document Date Organization Status Link Description
RFC1155 1990-05 IETF RFC (link) Structure and Identification of Management Information for TCP/IP-based Internets
RFC1156 1990-05 IETF RFC (link) Management Information Base for Network Management of TCP/IP-based internet
RFC1157 1990-05 IETF RFC (link) Simple Network Management Protocol (SNMP)
RFC1215 1991-03 IETF RFC (link) A Convention for Defining Traps for use with the SNMP
RFC1270 1991-11 IETF RFC (link) SNMP Communications Services
RFC1352 1992-07 IETF RFC (link) SNMP Security Protocols
RFC2570 1999-04 IETF RFC (link) Introduction to SNMPv3 framework - overall roadmap

For further study, a selection of practical material on SNMPv1 and related issues is given below:

  • comp.protocols.snmp SNMP FAQ [4]
  • TCP/IP Illustrated, Volume 1 by Stevens [5]
  • ASN.1 Complete by Prof. Larmouth [6]

Subject Survey

A survey of available implementations is conducted. This should include a diverse selection of implementations in order to gain a better insight into the applications implementing the protocol, and to give a hint of the impact of the potential vulnerabilities. Typically, not all implementations are available for testing, and thus cannot be tested by the project personnel within this test-suite prerelease phase.

No sample list of implementations is presented herein. A large number of vendors include SNMPv1 support in their products for either manager or agent functionality. A list of vendors with SNMPv1 enabled products may include at least 3Com, Alcatel, Amber Networks, Arbor, Banyan Networks, Canon, Cisco, Compaq, Computer Associates, D-Link, Dell, Digi, Ericsson, Extreme networks, F5, Foundry, Fujitsu Siemens, HP, Hitachi, IBM, ICL, Intel, Juniper Networks, Lantronix, Laurel, Lotus Lucent, Marconi-Fore, Microsoft, Multitech, NET-SNMP, NetGear, Nokia, Nortel, Novell, SMC, Shiva, Siemens, Sumimoto, Sun Microsystems, Telebit, Teledat, Windriver, Xerox, Xylan, Zyxel and many others.

Myriad of products with built-in SNMPv1 support include different models of:

  • managed network building blocks: bridges, hubs, routers, switches, media converters, UPSes, WLAN access points
  • managed network access equipment: cable modems, xDSL equipment, remote access servers
  • security products: firewalls, anti-virus frameworks, network analyzers
  • networked printers/copiers, networked cameras, networked image-scanners
  • managed software components: databases, backup software
  • network management frameworks
  • operating systems
  • networked instruments: oscilloscopes, medical imaging units
  • industrial automation equipment: manufacturing, processing ...

Some specific SNMP implementations and related information may be found from the following resources:

  • The Simpleweb [7]
  • SNMPLink [8]
  • SNMPWorld [9]
  • comp.protocols.snmp SNMP FAQ [4]

A subset of the implementations was chosen as a sample set to be tested during the test-suite creation and pre-release phases. Most likely reasons for omission of a specific product from the sample set include:

  • no evaluation copy of product was available
  • or evaluation copy had a restrictive licence prohibiting evaluation
  • or we were not aware of the product

Injection Vector Survey

The injection vector survey, or delivery vector survey, analyses the different methods of delivering the test-cases to the implementations under test (IUT). Often, there are several methods of injection and one test-suite cannot cover them all, or might miss some vectors not available in all implementations.

Injection vector survey
Application protocol Transport protocol Packet
SNMPv1 Requests UDP (port 161) GetRequest/GetNextRequest/SetRequest PDUs to an agent
SNMPv1 Responses UDP Responses for Request PDUs
SNMPv1 Traps UDP (port 162) Trap-PDUs to a manager (trap listener)

The core specification(s) of the SNMPv1 protocol indicate that UDP over IP is used to transfer SNMPv1 protocol data units (PDU) although the mechanisms of the SNMP are generally suitable for use with a wide variety of transport services. For example RFC1089, RFC1161 and RFC1298 describe the means of transferring SNMPv1 messages over protocols other than UDP over IP. However the UDP over IP is the most used scheme. Hence, the selected UDP delivery vector should provide successful injection of test-cases to all chosen implementations.

About SNMP Architecture

The SNMP architecture is illustrated in the figure below. The figure identifies two major roles (Manager and Agent) and two communication channels (UDP port 161 and UDP port 162).

[Simplified SNMP architecture]

Figure: Simplified SNMP architecture

SNMP managers can be anything from monolithic GUI based management frameworks to individual console applications that communicate over network using SNMPv1 protocol. There are also specific trap listeners for logging and dispatching incoming trap event messages.

SNMP agents can either work alone or with sub-agents. When sub-agents are present, the agent that listens for SNMPv1 requests from managers is called a master agent. The master agent forwards a received request to corresponding sub-agents. This communication may be done using a special sub-agent protocol. If the sub-agent does not respond directly to the requester, then the master agent may be involved in converting the response into SNMPv1 and delivering it to the manager. The master agent may be completely transparent to the manager.

"A master agent provides access to SNMP variables that may be provided by one or more subagents. The master agent usually uses a subagent protocol (AgentX, DPI, SMUX, EMANATE, ...) to interact with the subagents. One of the key features of such an extensible agent is that it is complete transparent to the manager." - SNMP FAQ [4]

A SNMP proxy agent is an element capable of acting as gateway to the other management agents. Proxies could be used to map different management protocols and to pass through an application level firewall.

"The current definition of a proxy SNMP agent is an agent which acts like a gateway to other SNMP agents. This can be useful in order to pass firewalls or to map SNMP protocol versions. Such a proxy is however not transparent to the manager since the manager usually has to select special parameters to address the target agent through the proxy." - SNMP FAQ [4]

Specifications Design

Protocol data unit specifications are used as a basis for generating the test-cases. Starting point for the design of the test-suite is to acquire or create a machine-readable representation of the protocol specification. The test-tool developed in this project uses a custom dialect of BNF (Backus-Naur Form). The BNF is capable of describing context-free syntax of a specification, but is not usually enough for the PDU generation. The specification is completed by semantic rules which semantically extend the BNF and communication rules which provide communication channels with external components. Rules are implemented in Java.

In this test-suite, a BNF presentation of SNMPv1 packet types was needed. Since SNMPv1 specification uses ASN.1 notation, the relevant ASN.1 specifications were manually converted into BNF.

Design of Exceptional Elements

An exceptional element is a piece of data designed to provoke undesired behavior of the subject implementation. A single test-case contains one or more exceptional elements. An exceptional element can be illegal according to protocol specification, but often it is legal or in the hazy region between legal and illegal constructs. In a nutshell, an exceptional element is an input that might not have been considered properly when implementing the software.

ASN.1 Basic Encoding Rules (BER) are used along the SNMPv1 specification to resolve the actual representation of the PDUs. Namely constructed types, field lengths, integers, strings and object identifiers are encoded using BER.

The application logic of a SNMPv1 agent receives data objects from a BER decoder, acts according the requests, and replies to the manager though a BER encoder. A SNMPv1 manager sends requests and listens for replies and trap messages. One might suppose that the use of ASN.1/BER protects the application logic from malformed input. However, any exceptional input which is correctly encoded will pass to the application logic.

Exceptional Element Categories

The following table lists the categories of the exceptional elements designed for the test-material:

Exceptional element categories
Name Description
E-01 Invalid BER length (L) fields. The first part of this group contains valid encodings of exceptional values, while the other part contains invalid length of length BER encodings
E-02 Exceptional elements for Class tags: Universal, Application, Context-specific, Private
E-04 Exceptional elements for BER's T fields number field
E-05 Mostly invalid encodings for BER NULL type
E-06 Mostly invalid encodings for BER BOOLEAN type
E-07 Mostly invalid encodings for BER INTEGER type
E-08 Mostly invalid encodings for BER OCTETSTRING type
E-09 Mostly invalid encodings for BER BITSTRING type
E-10 Mostly invalid encodings for BER SEQUENCE-OF type
E-11 Mostly invalid encodings for BER SET-OF type
E-12 Mostly invalid encodings for BER OBJECT-IDENTIFIER type
E-13 Mostly invalid encodings for BER REAL type
E-14 Mostly invalid encodings for BER ENUMERATED type
E-15 Total garbage with semi correct BER encodings
E-16 BER elements of PDU totally removed one at a time
E-17 Invalid extra data inserted in different parts of the PDU
I-01 Overflows with multiple zeroes and integer coded format strings
I-02 Overflow integers: various very big integers from (+/-)1 to magnitudes (+/-)2^256 and above
I-03 Large boundaric integer values (ie. (2^32)+-1, (2^64)+-1,...)
I-04 SetRequest(3) and Trap(4) PDU types in SNMP messages are replaced with big integers (ie. (2^32)+3, (2^56)+3, (2^64)+3,...)
B-01 Legal values (0x01 - 0x05) for ErrorStatus defined in RFC1157
O-01 General overflow strings consisting of for example from long strings of character 'a'
O-02 Long exceptional strings applied after community name public as VLAN name (ie. public@vlan0). Strings include multiples of 'a', "%s", '0', etc.
O-03 Overflows with null terminator (0x00) inserted at their beginning
O-04 Overflows with null terminator (0x00) inserted in their midst
F-01 Format strings of type "%s", "%s%n%x", "%.999d", "*.*d" and their variants
F-02 Community-specific format strings applied with community name public, ie. "public%s"
O-05 Object-identifier exceptional elements. Very long OIDs, OIDs with extremely big (ie. negative) branches
O-06 Object identifiers for sys.sysDescr, sys.sysName, if.ifNumber if.ifIndex with no, or invalid indexes
O-07 multiple (empty) VarBind entries. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types
O-08 multiple VarBind entries with short format string ("%s%s%s") as value. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types.
M-01 Zero length (null) data applied as a value of every BER element of PDU

Legend:

  • B: Bit pattern exceptions
  • E: BER encoding exceptions
  • F: Format string exceptions
  • I: Integer value exceptions
  • M: Missing symbol exceptions
  • O: Overflow exceptions

In "Encoding Exceptions" (letter E), exceptional ASN.1/BER elements are exercised. The purpose is to test the robustness of the BER decoder of the tested SNMPv1 implementation.

In "Application Exceptions" (other letters), correctly formatted ASN.1/BER elements contain exceptional data objects. The purpose is to test the robustness of the application logic of the SNMPv1 implementation.

Design of Test-Material

The tests are divided into four separate test-material packages. Each test-material package consists of a certain amount of test-cases. The test-cases are organized into test-groups so that similar kind of cases reside in a same group. Details for each package are presented below.

Req-App

10601 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with application exceptions

Test-groups in req-app
Name Category First index # Test-cases
zero-case-get-req valid 0 1
zero-case-get-next-req valid 1 1
zero-case-set-req valid 2 1
get-req-version-integer I-01, I-02, I-03 3 374
get-req-requestid-integer I-01, I-02, I-03 377 374
get-req-errorstatus-integer I-01, I-02, I-03 751 374
get-req-errorindex-integer-big B-01, I-01, I-02 1125 303
get-req-errorindex-integer-boundary B-01, I-03 1428 355
get-req-communityname-overflow O-01 1783 111
get-req-communityname-overflow-fmtstring F-01, F-02 1894 82
get-req-communityname-overflow-extra-null O-03, O-04 1976 109
get-req-communityname-vlan-overflow O-02 2085 244
get-req-varb-objectname-oid O-05 2329 64
get-req-varb-objectname-oid-with-fmtstring O-05, F-01 2393 64
get-req-varb-objectname-oid-invalid-index O-06 2457 88
get-req-varb-sysname-string-overflow O-01 2545 111
get-req-varb-sysname-string-overflow-fmtstring F-01 2656 36
get-req-varb-sysname-string-overflow-extra-null O-03, O-04 2692 109
get-req-varb-sysname-object-oid O-05 2801 64
get-req-varb-sysname-number-integer I-01, I-02, I-03 2865 374
get-req-varb-sysname-address-integer-small I-01 3239 33
get-req-varb-sysname-counter-integer I-01, I-02, I-03 3272 374
get-req-varb-sysname-gauge-integer I-01, I-02, I-03 3646 374
get-req-varb-sysname-timeticks-integer I-01, I-02, I-03 4020 374
get-req-varb-sysname-opaque-integer I-01, I-02, I-03 4394 374
get-req-varb-multiple O-07, O-08 4768 34
get-req-missing-data M-01 4802 15
getn-req-errorstatus-integer I-01, I-02, I-03 4817 374
getn-req-errorindex-integer-big B-01, I-01, I-02 5191 303
getn-req-errorindex-integer-boundary B-01, I-03 5494 355
getn-req-varb-objectname-oid O-05 5849 64
getn-req-varb-objectname-oid-with-fmtstring O-05, F-01 5913 64
getn-req-varb-objectname-oid-invalid-index O-06 5977 88
getn-req-varb-multiple O-07, O-08 6065 34
getn-req-missing-data M-01 6099 15
set-req-errorstatus-integer I-01, I-02, I-03 6114 374
set-req-errorindex-integer-big B-01, I-01, I-02 6488 303
set-req-errorindex-integer-boundary B-01, I-03 6791 355
set-req-communityname-overflow O-01 7146 111
set-req-communityname-overflow-fmtstring F-01, F-02 7257 82
set-req-communityname-overflow-extra-null O-03, O-04 7339 109
set-req-communityname-vlan-overflow O-02 7448 244
set-req-varb-objectname-oid O-05 7692 128
set-req-varb-objectname-oid-with-fmtstring O-05, F-01 7820 64
set-req-varb-objectname-oid-invalid-index O-06 7884 176
set-req-varb-sysdescr-string-overflow O-01 8060 111
set-req-varb-sysdescr-string-overflow-fmtstring F-01 8171 36
set-req-varb-sysdescr-string-overflow-extra-nul O-03, O-04 8207 109
set-req-varb-sysname-string-overflow O-01 8316 111
set-req-varb-sysname-string-overflow-fmtstring F-01 8427 36
set-req-varb-sysname-string-overflow-extra-null O-03, O-04 8463 109
set-req-varb-sysname-object-oid O-05 8572 64
set-req-varb-sysname-number-integer I-01, I-02, I-03 8636 374
set-req-varb-sysname-address-integer-small I-01 9010 33
set-req-varb-sysname-counter-integer I-01, I-02, I-03 9043 374
set-req-varb-sysname-gauge-integer I-01, I-02, I-03 9417 374
set-req-varb-sysname-timeticks-integer I-01, I-02, I-03 9791 374
set-req-varb-sysname-opaque-integer I-01, I-02, I-03 10165 374
set-req-varb-multiple O-07, O-08 10539 34
set-req-missing-data M-01 10573 15
set-req-request-type-shadow I-04 10588 13

Legend:

  • Name column presents the tag-names of the test-groups. Tags map in some extent to field names in SNMPv1 PDUs defined in RFC1157. Tags can be used to follow which parts of the PDU are being tested, and how. For example, get-req-communityname-overflow indicates that exceptional elements aiming to reveal buffer overflow vulnerabilities are inserted to the Community-field of the GetRequest-PDU.
  • Category column describes which exceptional element categories are integrated in the test-group. Ie. category O-01 in above example is deduced from this column.
  • "Test-cases" and "First index #" columns describe how many test-cases belong to the test-group, describing the first test-case number, and the number of cases from there on.

Req-Enc

18915 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with encoding exceptions

Test-groups in req-enc
Name Category First index # Test-cases
zero-case-get-req valid 0 1
zero-case-get-next-req valid 1 1
zero-case-set-req valid 2 1
get-req-ber-t-class E-02 3 76
get-req-ber-t-number E-04 79 516
get-req-ber-l-length E-01 595 1180
get-req-ber-tlv-NULL E-05 1775 288
get-req-ber-tlv-BOOLEAN E-06 2063 336
get-req-ber-tlv-INTEGER E-07 2399 360
get-req-ber-tlv-OCTETSTRING E-08 2759 264
get-req-ber-tlv-BITSTRING E-09 3023 264
get-req-ber-tlv-REAL E-13 3287 624
get-req-ber-tlv-OBJECT-IDENTIFIER E-12 3911 456
get-req-ber-tlv-SEQUENCE-OF E-10 4367 480
get-req-ber-tlv-SET-OF E-11 4847 384
get-req-ber-tlv-ENUMERATED E-14 5231 290
get-req-ber-tlv-noise E-15 5521 790
get-req-extra-data-inside E-17 6311 252
get-req-extra-data-inside-varbind E-17 6563 378
get-req-extra-data-outside E-17 6941 63
get-req-missing-field E-16 7004 11
getn-req-ber-t-class E-02 7015 68
getn-req-ber-t-number E-04 7083 430
getn-req-ber-l-length E-01 7513 1003
getn-req-ber-tlv-NULL E-05 8516 216
getn-req-ber-tlv-BOOLEAN E-06 8732 252
getn-req-ber-tlv-INTEGER E-07 8984 270
getn-req-ber-tlv-OCTETSTRING E-08 9254 192
getn-req-ber-tlv-BITSTRING E-09 9446 198
getn-req-ber-tlv-REAL E-13 9644 468
getn-req-ber-tlv-OBJECT-IDENTIFIER E-12 10112 342
getn-req-ber-tlv-SEQUENCE-OF E-10 10454 360
getn-req-ber-tlv-SET-OF E-11 10814 288
getn-req-ber-tlv-ENUMERATED E-14 11102 261
getn-req-ber-tlv-noise E-15 11363 711
getn-req-extra-data-inside E-17 12074 252
getn-req-extra-data-inside-varbind E-17 12326 378
getn-req-extra-data-outside E-17 12704 63
getn-req-missing-field E-16 12767 9
set-req-ber-t-class E-02 12776 68
set-req-ber-t-number E-04 12844 430
set-req-ber-l-length E-01 13274 1003
set-req-ber-tlv-NULL E-05 14277 216
set-req-ber-tlv-BOOLEAN E-06 14493 252
set-req-ber-tlv-INTEGER E-07 14745 270
set-req-ber-tlv-OCTETSTRING E-08 15015 192
set-req-ber-tlv-BITSTRING E-09 15207 198
set-req-ber-tlv-REAL E-13 15405 468
set-req-ber-tlv-OBJECT-IDENTIFIER E-12 15873 342
set-req-ber-tlv-SEQUENCE-OF E-10 16215 360
set-req-ber-tlv-SET-OF E-11 16575 288
set-req-ber-tlv-ENUMERATED E-14 16863 261
set-req-ber-tlv-noise E-15 17124 711
set-req-extra-data-inside E-17 17835 252
set-req-extra-data-inside-varbind E-17 18087 756
set-req-extra-data-outside E-17 18843 63
set-req-missing-field E-16 18906 9

Legend: [see first test-group table above]

Trap-App

15323 test-cases: Trap PDUs with application exceptions

Test-groups in trap-app
Name Category First index # Test-cases
trap-coldstart-valid valid 0 1
trap-warmstart-valid valid 1 1
trap-linkdown-valid valid 2 1
trap-linkup-valid valid 3 1
trap-authenticationfailure-valid valid 4 1
trap-egbneighborloss-valid valid 5 1
trap-request-type-shadow I-04 6 13
trap-version-integer I-01, I-02, I-03 19 284
trap-communityname-overflow O-01 303 111
trap-communityname-overflow-fmtstring F-01, F-02 414 82
trap-communityname-overflow-extra-null O-03, O-04 496 79
trap-communityname-vlan-overflow O-02 575 244
trap-enterprise-oid O-05 819 64
trap-enterprise-oid-invalid-index O-06 883 86
trap-agent-addr-integer I-01, I-02, I-03 969 284
trap-generic-trap-integer I-01, I-02, I-03 1253 284
trap-specific-trap-integer I-01, I-02, I-03 1537 284
trap-time-stamp-integer I-01, I-02, I-03 1821 284
trap-start-varb-objectname-oid O-05 2105 128
trap-start-varb-objectname-oid-invalid-index O-06 2233 172
trap-start-varb-objectsyntax-string-overflow O-01 2405 222
trap-start-varb-objectsyntax-string-overflow-fmtstring F-01 2627 72
trap-start-varb-objectsyntax-string-overflow-extra-null O-03, O-04 2699 158
trap-start-varb-objectsyntax-object-oid O-05 2857 128
trap-start-varb-objectsyntax-number-integer I-01, I-02, I-03 2985 568
trap-start-varb-objectsyntax-networkaddress-integer I-01, I-02, I-03 3553 568
trap-start-varb-objectsyntax-counter-integer I-01, I-02, I-03 4121 568
trap-start-varb-objectsyntax-gauge-integer I-01, I-02, I-03 4689 568
trap-start-varb-objectsyntax-timeticks-integer I-01, I-02, I-03 5257 568
trap-start-varb-objectsyntax-opaque-integer I-01, I-02, I-03 5825 568
trap-start-varb-multiple O-07, O-08 6393 68
trap-start-missing-data M-01 6461 32
trap-link-varb-objectname-oid O-05 6493 128
trap-link-varb-objectname-oid-invalid-index O-06 6621 172
trap-link-varb-objectsyntax-string-overflow O-01 6793 224
trap-link-varb-objectsyntax-string-overflow-fmtstring F-01 7017 72
trap-link-varb-objectsyntax-string-overflow-extra-null O-03, O-04 7089 158
trap-link-varb-objectsyntax-object-oid O-05 7247 128
trap-link-varb-objectsyntax-number-integer I-01, I-02, I-03 7375 568
trap-link-varb-objectsyntax-networkaddress-integer I-01, I-02, I-03 7943 568
trap-link-varb-objectsyntax-counter-integer I-01, I-02, I-03 8511 568
trap-link-varb-objectsyntax-gauge-integer I-01, I-02, I-03 9079 568
trap-link-varb-objectsyntax-timeticks-integer I-01, I-02, I-03 9647 568
trap-link-varb-objectsyntax-opaque-integer I-01, I-02, I-03 10215 568
trap-link-varb-multiple O-07, O-08 10783 68
trap-link-missing-data M-01 10851 32
trap-authfail-varb-objectname-oid O-05 10883 64
trap-authfail-varb-objectname-oid-invalid-index O-06 10947 86
trap-authfail-varb-objectsyntax-string-overflow O-01 11033 112
trap-authfail-varb-objectsyntax-string-overflow-fmtstring F-01 11145 36
trap-authfail-varb-objectsyntax-string-overflow-extra-null O-03, O-04 11181 79
trap-authfail-varb-objectsyntax-object-oid O-05 11260 64
trap-authfail-varb-objectsyntax-number-integer I-01, I-02, I-03 11324 284
trap-authfail-varb-objectsyntax-networkaddress-integer I-01, I-02, I-03 11608 284
trap-authfail-varb-objectsyntax-counter-integer I-01, I-02, I-03 11892 284
trap-authfail-varb-objectsyntax-gauge-integer I-01, I-02, I-03 12176 284
trap-authfail-varb-objectsyntax-timeticks-integer I-01, I-02, I-03 12460 284
trap-authfail-varb-objectsyntax-opaque-integer I-01, I-02, I-03 12744 284
trap-authfail-varb-multiple O-07, O-08 13028 34
trap-authfail-missing-data M-01 13062 16
trap-neighloss-varb-objectname-oid O-05 13078 64
trap-neighloss-varb-objectname-oid-invalid-index O-06 13142 86
trap-neighloss-varb-objectsyntax-string-overflow O-01 13228 112
trap-neighloss-varb-objectsyntax-string-overflow-fmtstring F-01 13340 36
trap-neighloss-varb-objectsyntax-string-overflow-extra-null O-03, O-04 13376 79
trap-neighloss-varb-objectsyntax-object-oid O-05 13455 64
trap-neighloss-varb-objectsyntax-number-integer I-01, I-02, I-03 13519 284
trap-neighloss-varb-objectsyntax-networkaddress-integer I-01, I-02, I-03 13803 284
trap-neighloss-varb-objectsyntax-counter-integer I-01, I-02, I-03 14087 284
trap-neighloss-varb-objectsyntax-gauge-integer I-01, I-02, I-03 14371 284
trap-neighloss-varb-objectsyntax-timeticks-integer I-01, I-02, I-03 14655 284
trap-neighloss-varb-objectsyntax-opaque-integer I-01, I-02, I-03 14939 284
trap-neighloss-varb-multiple O-07, O-08 15223 34
trap-neighloss-missing-data M-01 15257 16
trap-enterprise-varb-multiple O-07, O-08 15273 34
trap-enterprise-missing-data M-01 15307 16

Legend: [see first test-group table above]

Trap-Enc

8777 test-cases: Trap PDUs with encoding exceptions

Test-groups in trap-enc
Name Category First index # Test-cases
trap-coldstart-valid valid 0 1
trap-warmstart-valid valid 1 1
trap-linkdown-valid valid 2 1
trap-linkup-valid valid 3 1
trap-authenticationfailure-valid valid 4 1
trap-egbneighborloss-valid valid 5 1
trap-ber-t-class E-02 6 84
trap-ber-t-number E-04 90 559
trap-ber-l-length E-01 649 1298
trap-ber-tlv-NULL E-05 1947 312
trap-ber-tlv-BOOLEAN E-06 2259 364
trap-ber-tlv-INTEGER E-07 2623 390
trap-ber-tlv-OCTETSTRING E-08 3013 312
trap-ber-tlv-BITSTRING E-09 3325 286
trap-ber-tlv-REAL E-13 3611 676
trap-ber-tlv-OBJECT-IDENTIFIER E-12 4287 494
trap-ber-tlv-SEQUENCE-OF E-10 4781 520
trap-ber-tlv-SET-OF E-11 5301 416
trap-ber-tlv-ENUMERATED E-14 5717 348
trap-ber-tlv-noise E-15 6065 936
trap-extra-data-inside E-17 7001 756
trap-extra-data-inside-varbind E-17 7757 756
trap-extra-data-outside E-17 8513 252
trap-missing-field E-16 8765 12

Legend: [see first test-group table above]

Test-Material Default Values

All test-cases have been initialized with default values listed below. One or more of the listed values are altered when exceptional elements are applied to the PDU.

Default values used in req-app and req-enc:

  • Version: 0
  • Community: "public"
  • PDU-Type: GetRequest | GetNextRequest | SetRequest
  • RequestID: test-case index
  • ErrorStatus: 0
  • ErrorIndex: 0
  • Single VarBind:
    • ObjectName: sys.SysName (1.3.6.1.2.1.1.5.0)
    • ObjectSyntax: empty (GetRequest, GetNextRequest) | 'c06-snmpv1' (SetRequest)

Default values used in trap-app and trap-enc:

  • Version: 0
  • Community: "public"
  • PDU-Type: Trap
  • Enterprise: unix.agents.fourBSD-isode.21 (1.3.6.1.4.1.4.1.2.21)
  • Agent-addr: 127.0.0.1
  • Generic-trap: ColdStart (0x00)
  • Specific-trap: 0x00
  • Time-stamp: test-case index
  • Single VarBind:
    • ObjectName: if.ifNumber (1.3.6.1.2.1.2.1.0)
    • ObjectSyntax: 0x21

Injection

The test-tool provides communication rules for test-case injection. SNMPv1 PDUs can be injected using a simple UDP injector. Optionally, responses from the subject can be monitored.

Semantic Rules

The test-tool provides semantic rules as method for augmenting the (already extended) BNF specification.

SNMPv1 requires use of the basic encoding rules (BER) for formatting octets sent over the UDP over IP connection. BER is a simple encoding method and can be modeled with BNF except for the length fields. Semantic rules for encoding/decoding BER Integers and Object-Identifiers were developed for this test-suite.

Instrumentation

With instrumentation on the target platform we are able to monitor for undesired behavior of the subject implementation. Typically this manifests as exceptions or signals such as 'access violation' or 'segmentation fault'. Unfortunately, the modern trend of abusing the try-catch -type of constructs easily masks the exceptions generated by stack and memory corruption. Catching these hidden exceptions relies on the debugging skills of the developers themselves.

Zero-case instrumentation will be bundled with the test-material. In this rather crude method, a valid PDU (zero-case) that should result in a valid reply is sent to the subject between real test-cases until a response is received. Hence, if no response from the subject is detected, it has failed. This method is especially convenient when testing black-box hardware implementations. Unfortunately, zero-case instrumentation is not available with Trap-PDUs since implementations should never reply to the received traps.

Implementation

Test-runs were conducted against the chosen set of sample implementations. Specifications, exceptional elements, semantic rules, injectors and instrumentation were integrated as a test-tool configuration to enable automatic execution of the tests.

Results from the Test-Runs

Results from the test-runs are summarised herein. Tables below represent the observations from feeding the test-material against the chosen subject software. Product names of the actual subjects are omitted to protect the innocent. Results are presented in a tabular form with test-cases divided into test-groups based on the exceptional element types utilised and PDU fields under examination.

Each failed test-case represents at minimum a denial of service type chance of exploiting the found vulnerability. In most cases, they represent memory corruption, stack corruption or other fatal error conditions. Some of these may lead exposure to typical buffer overflow exploits, allowing running of arbitrary code or modification of the target system.

The recommendations for securing SNMP implementations presented in the Analysis section were tried against each sample implementation when suitable.

Changing the community name worked only for some implementations, but not especially for those which had problems with exceptional community names. Network access control was soon discovered to be insufficient since UDP source address can be easily spoofed. Disabling the SNMP functionality worked usually when there was a possibility to do so. However, there was one implementation that continued to receive SNMP packets even after SNMP was disabled. It did not respond to valid SNMP requests, but crashed when certain test-cases were injected. All sample implementations accepted SNMPv1 packets sent to the network broadcast address, this is most likely due to nature of the typical bind() usage with INADDR_ANY address.

Test-Result Definitions

In this test-suite, the 'failed' status is granted if any of the following criteria are met and a single test-case can be identified to be responsible of it:

  • A fatal failure is triggered in a device causing it to stop functioning normally
  • A SNMP process or a device crashes or hangs and needs to be restarted manually
  • A SNMP process or a device crashes and restarts automatically
  • A SNMP process consumes almost all CPU and/or memory resources for an exceptionally long or indefinite time

If no single test-case can be identified but similar effects are observed, the status is 'inconclusive'.

If the 'failed' status happens to be independent of SNMP community names, it is upgraded to 'failed unconditionally'. This is the worst status that can be given.

In some cases, the subject gets corrupted so badly or is fundamentally so instable that there is no way to collect accurate test-results for the whole test-run. The untested regions are marked as 'unknown'.

Otherwise, the status is 'passed'.

Test-Results by Test-Groups

These tables show how effective different test-groups were in the test-runs. A test-group is marked failed if any single case or combination of cases cause the subject to fail. Note that if a subject fails in a format string (fmtstring) test-group, the failure may be triggered by a very long format string causing an overflow condition. Should implementation have failed format string category, but not previous overflow category, then implementation is more or very likely to contain real format string type of vulnerability.

Observed failures for req-app test-groups
Test-group / Test-run # 001 002 003 004 005 006 007 008
... . . . . . . . .
get-req-communityname-overflow - - U - - U - -
get-req-communityname-overflow-fmtstring - - U - - U - -
get-req-communityname-overflow-extra-null - - U - - U - -
get-req-communityname-vlan-overflow - - - - - U - -
get-req-varb-objectname-oid X - - U - - X -
get-req-varb-objectname-oid-with-fmtstring X - - U - - X -
get-req-varb-objectname-oid-invalid-index I - - - - - - -
... . . . . . . . .
get-req-varb-sysname-object-oid - - - U - - - -
... . . . . . . . .
get-req-varb-multiple X - - - - - - -
... . . . . . . . .
getn-req-varb-objectname-oid X - - U - - X -
getn-req-varb-objectname-oid-with-fmtstring X - - U - - X -
getn-req-varb-objectname-oid-invalid-index I - - - - - - -
getn-req-varb-multiple X - - - - - - -
... . . . . . . . .
set-req-communityname-overflow - - U - - U - -
set-req-communityname-overflow-fmtstring - - U - - U - -
set-req-communityname-overflow-extra-null - - U - - U - -
set-req-communityname-vlan-overflow - - - - - U - -
set-req-varb-objectname-oid - - - U - - - -
set-req-varb-objectname-oid-with-fmtstring - - - U - - - -
... . . . . . . . .
set-req-varb-sysname-object-oid - - - U - - - -
... . . . . . . . .

Legend:

  • nnn: Each different test-run (tr-nnn) represents a different tested implementation.
  • X: Verdict is failed
  • U: Verdict is failed unconditionally (no need-to-know a valid community name)
  • I: Verdict is inconclusive
  • -: Verdict is passed
Observed failures for req-enc test-groups
Test-group / Test-run # 001 002 003 004 005 006 007 008
... . . . . . . . .
get-req-ber-l-length - - U - X - U U
... . . . . . . . .
get-req-ber-tlv-OBJECT-IDENTIFIER - - - - - - X -
... . . . . . . . .
get-req-ber-tlv-noise - - - - - - X -
... . . . . . . . .
getn-req-ber-l-length - - U - X - X U
... . . . . . . . .
getn-req-ber-tlv-OBJECT-IDENTIFIER - - - - - - X -
... . . . . . . . .
getn-req-ber-tlv-noise - - - - - - X -
... . . . . . . . .
set-req-ber-t-number - - U - - - - -
set-req-ber-l-length - - U - X - - -
... . . . . . . . .
set-req-ber-tlv-BITSTRING - - U - - - - -
... . . . . . . . .

Legend: [see first result table above]

Observed failures for trap-app test-groups
Test-group / Test-run # 009 010 011 012
... . . . .
trap-enterprise-oid - - - I
... . . . .
trap-start-varb-objectsyntax-string-overflow - U U -
... . . . .
trap-start-varb-objectsyntax-string-overflow-extra-null - U - -
trap-start-varb-objectsyntax-object-oid U - - -
... . . . .
trap-start-varb-objectsyntax-opaque-integer - U U -
trap-start-varb-multiple U U - -
... . . . .
trap-link-varb-objectsyntax-string-overflow - U U -
... . . . .
trap-link-varb-objectsyntax-string-overflow-extra-null - U - -
trap-link-varb-objectsyntax-object-oid U - - -
... . . . .
trap-link-varb-objectsyntax-opaque-integer - U U -
trap-link-varb-multiple U U - -
... . . . .
trap-authfail-varb-objectsyntax-string-overflow - U U -
... . . . .
trap-authfail-varb-objectsyntax-string-overflow-extra-null - U - -
trap-authfail-varb-objectsyntax-object-oid U - - -
... . . . .
trap-authfail-varb-objectsyntax-opaque-integer - U U -
trap-authfail-varb-multiple U U - -
... . . . .
trap-neighloss-varb-objectsyntax-string-overflow - U U -
... . . . .
trap-neighloss-varb-objectsyntax-string-overflow-extra-null - U - -
trap-neighloss-varb-objectsyntax-object-oid U - - -
... . . . .
trap-neighloss-varb-objectsyntax-opaque-integer - U U -
trap-neighloss-varb-multiple U U - -
... . . . .
trap-enterprise-varb-multiple U U - -
... . . . .

Legend: [see first result table above]

Observed failures for trap-enc test-groups
Test-group / Test-run # 009 010 011 012
trap-ber-t-class - - U -
trap-ber-t-number - - U -
trap-ber-l-length U - U -
... . . . .
trap-ber-tlv-BOOLEAN - - U I
... . . . .
trap-ber-tlv-OCTETSTRING - U - -
trap-ber-tlv-BITSTRING - U U -
trap-ber-tlv-REAL - - U -
trap-ber-tlv-OBJECT-IDENTIFIER - U - -
trap-ber-tlv-SEQUENCE-OF - U U I
trap-ber-tlv-SET-OF - U U -
trap-ber-tlv-ENUMERATED - - U I
trap-ber-tlv-noise - - U -
... . . . .

Legend: [see first result table above]

Test-Results Summary

The results are further summarised in the tables below.

Results summary for req-app
Test-run # Total test-cases Failed test-cases Total groups Failed groups
tr-001 10601 N 61 8
tr-002 10601 0 61 0
tr-003 10601 13 61 6
tr-004 10601 16 61 8
tr-005 10601 0 61 0
tr-006 10601 224 61 8
tr-007 10601 57 61 4
tr-008 10601 0 61 0

Legend:

  • N: We were unable to determine the exact number of failures. See the more detailed tables above.
Results summary for req-enc
Test-run # Total test-cases Failed test-cases Total groups Failed groups
tr-001 18915 0 57 0
tr-002 18915 0 57 0
tr-003 18915 N 57 5
tr-004 18915 0 57 0
tr-005 18915 4 57 3
tr-006 18915 0 57 0
tr-007 18915 N 57 5
tr-008 18915 10 57 2

Legend: [see first summary table above]

Results summary for trap-app
Test-run # Total test-cases Failed test-cases Total groups Failed groups
tr-009 15323 N 76 9
tr-010 15323 166 76 17
tr-011 15323 12 76 8
tr-012 15323 N 76 1

Legend: [see first summary table above]

Results summary for trap-enc
Test-run # Total test-cases Failed test-cases Total groups Failed groups
tr-009 8777 5 24 1
tr-010 8777 24 24 5
tr-011 8777 N 24 10
tr-012 8777 N 24 3

Legend: [see first summary table above]

Verification via Exploits

To support the vulnerability reporting process, typically one exploit per implementation is refined and included in the respective vulnerability report. The exploit is only intended for demonstration purposes and is harmless as it is. Simplest of them only executes some harmless commands in the target system, typically with the privileges of the vulnerable process. Some only provide a demonstration by causing a Denial of Service (DoS) against the software.

Buffer overflow exploits allowing execution of arbitrary code were demonstrated against:

  • One SNMP master agent bundled in an embedded firewall and VPN appliance
  • Two SNMP master agents bundled as part of the operating systems in question
  • One SNMP trap listener bundled as part of the operating system in question
  • Two add-on trap listeners available as parts of SNMP management frameworks

In the initial set of the tested products, denial of service was demonstrated for the remaining master agents (three network devices) and one trap listener (management framework) identified as vulnerable.

Test-Material Package

Package Information

The test-material is distributed as four JAR packages, two for Request-PDUs (GetRequest, GetNextRequest and SetRequest) and two for Trap-PDUs. Of the two JAR packages for given PDU type one contains the application part and the other the BER encoding part of test-cases. Each package comprises of the following elements:

  • Test-cases (PDUs), located in testcases/ directory
  • Java code (source and compiled) for feeding the test-cases against the system under test
  • LICENSE.TXT - GNU General Public License (GPL) version 2
  • README.TXT - Short instructions

Licence and Copyright

The test-material is licensed under GNU General Public License (GPL) version 2, at no charge. This is done in order to ensure that vendors and their customers may freely utilise the test-material. Standard GPL terms for no warranty and no liability apply.

We recommend some additional guidelines, although these do not restrict the test-material licence. These guidelines can be found from the "test-suite releases in Theory and Practice" document.

Usage

A prerequisite for using the test-material is a properly configured SNMPv1 implementation, preferably not in an open network.

The test-material can be used either with the bundled injection code [Using with Java] or with an external injector [Using single test-cases].

Using with Java

Java Runtime is a prerequisite for running the bundled Java code. This package has been tested on Java 2 Platform, Standard Edition (J2SE ). [10]

Usage examples for the injection code bundled in the JAR packages:

java -jar c06-snmpv1-req-app-r1.jar -help
This command displays the built-in help for the available command line options. Options such as selecting the zero-case instrument, a specific range of test-cases, showing the reply from subject or non-standard destination port are high-lighted therein.
java -jar c06-snmpv1-req-app-r1.jar -host hostname -single <index> -showreply
Send the req-app test-case index into SNMP server hostname port 161 and show reply from the server (if any). Please note that -showreply is not relevant with SNMP traps.
java -jar c06-snmpv1-req-app-r1.jar -host hostname -delay 1000
Send all req-app test-cases into SNMP server hostname port 161 with a delay of 1000 milliseconds between each case.
java -jar c06-snmpv1-req-app-r1.jar -host hostname -zerocase
Run all req-app test-cases into SNMP server hostname port 161. A valid zero-case (test-case# 0) is injected between the real test-cases and a reply to it is awaited for. Please note that -zerocase switch works only with Request-PDUs, SNMPv1 trap handling does not involve responses.

Using without Java

The test-cases (PDUs) are in raw binary format and can be used by any suitable delivery software, such as nc (netcat). The individual test-cases can be extracted from the JAR package with tools such as unzip, Winzip or jar. Refer to the manual pages and product documentation of the respective tools for additional information.

Download

Request Material

These JAR packages contain the req-app and req-enc test-material and the corresponding PGP signatures.

Trap Material

These JAR packages contain the trap-app and trap-enc test-material and the corresponding PGP signatures.

Notes

Be sure to check which PDU types the subject accepts. Zero-case instrument requires that the subject has a properly configured 'public' SNMP read community. Otherwise the subject will not respond to valid test-cases. However, if you want to test a subject with a different community, the default zero-case (test-case# 0) can be replaced. Using a hex editor, 'public' can be changed to 'foobar' and because they have the same length, the packet validity is preserved. Remember that zero-case instrumentation works only with Request-PDU packages, because SNMP traps are never replied to.

For the best possible replication of results gathered by us, request JAR test-cases should be ran using switches -zerocase and -showreply. For the trap JARs no additional switches except for the -host should be used. This ensures that timeouts and configuration options match as far as possible those used in our test-runs. As mentioned earlier, community name 'public' was used as read community and no write community was defined.

Sending test-cases with different timeouts, in different order and so on may reveal error modes we did not notice. Also, setting write community to public or read community to something other than public are likely to have significant effect on results and possible error modes observed.

Conclusions

The initial results from the c06-snmpv1 tests indicate that implementation errors plague several SNMP products. None from the sample of twelve implementations survived the test-material. This is most alarming since SNMPv1 is widely used in critical parts of network infrastructure.

Attempts to secure the sample implementations from the found vulnerabilities produced various results. Applying device based access control to SNMP traffic was mostly useless since spoofing the UDP source address is simple. All sample implementations by default accepted SNMP packets sent to the network broadcast address, and this lessens the effort needed to exploit the vulnerabilities. A potential attacker does not need to know the actual IP-addresses of his targets and can in worst case use a single broadcast packet to compromise a whole network without ever having to find out a valid SNMP community name. In some cases, SNMP could not be fully disabled and there was no other way to secure an implementation than to plug it off the network.

Since the test-material can discover only a fraction of potential implementation errors, it is likely that we have simply touched the tip of the iceberg. We hope that a wide adoption of this test-suite will raise the overall quality of SNMP products and will help implementors to fix also those vulnerabilities not directly addressed by it.

Acknowledgments

We wish to express our gratitude to individual vendors who worked with us to protect their customers. We are in debt to Sonera Corporation for providing us facilities and support in determing the impact of the test-suite. Last, but not least, we are grateful to CERT/CC for their patient help, advice and active role during the vulnerability process. We admire CERT/CC's ability and sacrifice in handling the complexity of the issue, number of the vendors involved and the resulting flood of communication during extended time-frame spanning several months.

Vulnerability Management

Prior Public Vulnerabilities

The most common sources for vulnerability information and exploits were covered and cross checked for potential and already known vulnerabilities in the implementations of the chosen protocol. Typical sources for finding out about existing vulnerabilities are databases and mailing-lists. Search-engines may also reveal information on past vulnerabilities.

The Vulnerability Process

During the prerelease phase all verified vulnerabilities were reported to the respective vendors. The vulnerability reports were tracked by the CERT/CC in role of an independent coordinator and advisor. [11] Due to potentially large number of vendors affected, an attempt to establish a channel for discussion and test-material distribution was made with CERT/CC.

Advisories and Vendor Statements

Vendor statements or security advisories issued in order to address the vulnerabilities uncovered by this test-suite are collected. Advisories that we are aware of are listed here-in:

  • [CERT/CC 2002-02-12] CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)

References

[1]
"Open Directory Project : Top : Computers : Internet : Protocols". Open directory project. http://dmoz.org/Computers/Internet/Protocols/desc.html.
[2]
Case, J; Fedor, M; Schoffstall, M & Davin J. (1990). "A Simple Network Management Protocol (SNMP)". The Internet Engineering Task Force. http://www.ietf.org/rfc/rfc1157.txt.
[3]
"The Internet Engineering Task Force". http://www.ietf.org/.
[4]
"comp.protocols.snmp SNMP FAQ". http://www.faqs.org/faqs/snmp-faq/.
[5]
Stevens, Richard W. TCP/IP Illustrated, Volume 1. (1994). Addison-Wesley. ISBN: 0-201-63346-9.
[6]
Larmouth, John. ASN.1 Complete. (1999). Morgan Kaufmann. http://www.oss.com/asn1/larmouth.html. ISBN: 0-12233-435-3.
[7]
"The SimpleWeb". http://www.simpleweb.org/.
[8]
"SNMPLink.org". http://www.snmplink.org/.
[9]
"SNMPWorld". http://silver.he.net/~rrg/snmpworld.htm.
[10]
"Java 2 Platform, Standard Edition (J2SE)". http://java.sun.com/j2se/1.3/.
[11]
"CERT/CC". http://www.cert.org/.

Appendix A: Guidelines for Securing SNMP

As part of the analysis for the PROTOS c06-snmpv1 test-suite, some guidelines for securing specific SNMP implementations were reviewed.

Securing SNMP on Solaris
http://ist.uwaterloo.ca/security/howto/2000-10-04/
Securing SNMP in Windows
http://www.sans.org/infosecFAQ/incident/SNMP.htm
Securing your Cisco Router when using SNMP
http://www.sans.org/infosecFAQ/netdevices/router.htm
SNMP - simple management tool for hackers?
http://www.nwfusion.com/newsletters/sec/1004sec1.html
Windows 2000, SNMP and Security
http://www.securityfocus.com/focus/microsoft/2k/snmp.html

Appendix B: Related Test-Suites

A survey of other existing test-suites related to SNMP was conducted. The found test-suites focused on rather semantical issues, with no or only some syntax testing material.

http://www.iwl.com
"InterWorking Labs provides SilverCreek(R), the SNMP Test-Suite, for software engineers to find and fix bugs in their SNMP agent implementations. With nearly 1,000 tests available for SNMPv1, v2, v3, and semantic tests for RMON1, RMON2, and the Printer MIB, InterWorking Labs has revolutionised the process of testing network products."
http://www.smplsft.com/stest.html
"SimpleTester is an easy to use test tool that automatically tests SNMPv1, SNMPv2C and SNMPv3 agents. Using this tool you can exhaustively test agents implementing standard and enterprise specific MIBs within minutes. Over 800 semantic validation tests for popular MIBs like MIB-II, mini-RMON and SNMPv3 are included with source code. Utilities like MIB browser, Trap Checker and Script Generator, along with scripting support for Telnet and Serial I/O is also present."

[This page is CSS2 enabled. Your browser might not fully support it]