![](../../../transparent.gif)
|
OUSPG
[This page is CSS2 enabled. Your browser might not fully support it]
PROTOS Test-Suite: c06-snmpv1
The Simple Network Management Protocol (SNMP) enables monitoring and
configuration of network nodes. The venerable SNMP is almost
omni-present amongst a wide variety networked devices ranging from
Internet gateways to information appliances.
The SNMP version one (SNMPv1) was chosen as the subject protocol for
vulnerability assessment through syntax testing and test-suite
creation.
A survey of the related standards was made. Test-material was prepared
and tests were carried out against a sample set of existing
implementations. Results were gathered and reported.
Many of the implementations available for evaluation failed to perform
in a robust manner under test. Some failures had information
security implications, and should be considered as vulnerabilities.
In order to achieve a robustness baseline for SNMPv1 products this
test-material should be adopted for their evaluation and development.
This test-suite is a byproduct of the
"PROTOS - Security Testing of Protocol Implementations" project.
Important: Background, goals, limitations,
terminology and licensing for this test-suite release are explained in
the
"Test-suite releases in Theory and Practice"
document.
This test-suite covers a limited set of information security and
robustness related implementation errors for a subset of the chosen
protocol. The subject protocol and the chosen subset of it are
illustrated in the "Analysis" section below.
"SNMP is a communication protocol that has gained widespread
acceptance since 1993 as a method of managing TCP/IP works, including
individual network devices, and devices in aggregate. SNMP was
developed by the IETF (Internet Engineering Task Force), and is
applicable to any TCP/IP network, as well as other types of networks."
- Open Directory Project [1]
"The Internet Activities Board recommends that all IP and TCP
implementations be network manageable." - RFC1157 [2]
The purpose of this test-suite is to evaluate implementation level
security and robustness of Simple Network Management
Protocol (SNMP) implementations. The factors behind choosing
SNMP included:
-
SNMP is widely adopted for managing IP networks, including individual
network devices, and devices in aggregate. In other words - there are
plenty of different implementations and a myriad of installations.
Moreover, even if the SNMP is not in active use inside a network, it
may be lying dormant on individual devices by virtue of being included
in default configurations.
-
A SNMP manageable devices may be critical for the network
infrastructure. Even a denial-of-service attack against such of a
device may have serious implications. Therefore locating and fixing
common implementation errors should be encouraged.
-
Robustness problems in decoding exceptional BER encoding may lead to
situation where application level authentication based access control
is ineffective since errors may reside in code that will be involved
in parsing the packets before authentication takes place.
-
Since SNMP has been around for a relatively long time implementations
should have had time to mature, making them more robust against
implementation type errors. Evaluating such mature products should
provide us useful feedback on the current state of implementation
level robustness in general.
In this test-suite, the focus was set on the certain protocol data
units (PDUs), namely requests (GetRequest, GetNextRequest and
SetRequest) and traps. The protocol version one (SNMPv1)
was chosen. Rationale behind these selections:
-
SNMP agents and trap-aware SNMP managers are by design ready to accept
incoming requests and traps without prior session setup. These expose
a natural attack vector that should be scrutinized with top priority.
-
All SNMP implementations must support SNMPv1. Moreover, newer versions
of the protocol (SNMPv2[p,c,u] and SNMPv3) should be considered as
protocols of their own due to the changes in the management paradigm.
-
SNMPv1 has a less complicated structure in comparison to the newer
versions. This enables us to concentrate on other things than the
protocol specification. Thus, we could expect a test-suite of good
quality and coverage.
-
Although SNMPv1 is a venerable protocol, it has no popular and public
syntax testing material aimed against robustness problems.
-
Due the widespread nature of SNMPv1, there are plenty of
implementations by several vendors available for testing, including
equipment that are a critical part of the core Internet
infrastructure.
In order to understand the typical deployment scenarios of SNMPv1,
some guidelines for securing specific SNMP implementations were
reviewed (see Appendix A). Typical
recommendations are summarized below in no particular order:
- A. Choose non-default community names.
- B. Apply perimeter filtering to SNMP traffic.
- C. Apply SNMP device based network access control to filter the traffic.
- D. Isolate SNMP into a separate management VLAN.
- E. Disable the SNMP functionality if it is not needed.
Assuming recommendation (A) to be the most widely adopted measure, the
impact of new potential SNMPv1 vulnerabilities can be roughly
categorised based on the dependency on the need-to-know the chosen
community names (the authentication scheme). A vulnerability can
occur:
- 1. independently of the community name (greatest impact)
- 2. with a known read-only community name
- 3. with a known read-write community name (smallest impact)
The second category was chosen as the initial test-strategy. If a
vulnerability is discovered by using a known read-only community name,
then it will be verified in context where a correct community name is
unknown. Many SNMPv1 implementations appear to use default community
names that are well-known, such as 'public'. This fact increases the
impact of vulnerabilities in the last two categories.
A survey of pre-existing test-suites was made (see Appendix B). None of the identified test-suites
were found to be robustness related, and thus do not contribute in
this context.
The available standards specifying the selected protocol have to be
studied, and analysed. The relevant protocol specifications are listed
in the table below.
Only the relevant SNMP specifications are listed. Several
specifications regarding newer SNMP versions and extensions are left
out but are available from IETF. [3]
SNMPv1 Standard survey
Name
| Document Date
| Organization
| Status
| Link
| Description
|
RFC1155
| 1990-05
| IETF
| RFC
| (link)
| Structure and Identification of Management Information for TCP/IP-based Internets
|
RFC1156
| 1990-05
| IETF
| RFC
| (link)
| Management Information Base for Network Management of TCP/IP-based internet
|
RFC1157
| 1990-05
| IETF
| RFC
| (link)
| Simple Network Management Protocol (SNMP)
|
RFC1215
| 1991-03
| IETF
| RFC
| (link)
| A Convention for Defining Traps for use with the SNMP
|
RFC1270
| 1991-11
| IETF
| RFC
| (link)
| SNMP Communications Services
|
RFC1352
| 1992-07
| IETF
| RFC
| (link)
| SNMP Security Protocols
|
RFC2570
| 1999-04
| IETF
| RFC
| (link)
| Introduction to SNMPv3 framework - overall roadmap
|
For further study, a selection of practical material on SNMPv1 and
related issues is given below:
- comp.protocols.snmp SNMP FAQ [4]
- TCP/IP Illustrated, Volume 1 by Stevens [5]
- ASN.1 Complete by Prof. Larmouth [6]
A survey of available implementations is conducted. This should
include a diverse selection of implementations in order to gain a
better insight into the applications implementing the protocol, and to
give a hint of the impact of the potential vulnerabilities. Typically,
not all implementations are available for testing, and thus cannot be
tested by the project personnel within this test-suite prerelease
phase.
No sample list of implementations is presented herein. A large
number of vendors include SNMPv1 support in their products for either
manager or agent functionality. A list of vendors with SNMPv1 enabled
products may include at least
3Com,
Alcatel,
Amber Networks,
Arbor,
Banyan Networks,
Canon,
Cisco,
Compaq,
Computer Associates,
D-Link,
Dell,
Digi,
Ericsson,
Extreme networks,
F5,
Foundry,
Fujitsu Siemens,
HP,
Hitachi,
IBM,
ICL,
Intel,
Juniper Networks,
Lantronix,
Laurel,
Lotus
Lucent,
Marconi-Fore,
Microsoft,
Multitech,
NET-SNMP,
NetGear,
Nokia,
Nortel,
Novell,
SMC,
Shiva,
Siemens,
Sumimoto,
Sun Microsystems,
Telebit,
Teledat,
Windriver,
Xerox,
Xylan,
Zyxel and many others.
Myriad of products with built-in SNMPv1 support include different
models of:
-
managed network building blocks: bridges, hubs, routers, switches,
media converters, UPSes, WLAN access points
-
managed network access equipment: cable modems, xDSL equipment,
remote access servers
- security products: firewalls, anti-virus frameworks, network analyzers
- networked printers/copiers, networked cameras, networked image-scanners
- managed software components: databases, backup software
- network management frameworks
- operating systems
- networked instruments: oscilloscopes, medical imaging units
- industrial automation equipment: manufacturing, processing ...
Some specific SNMP implementations and related information may be
found from the following resources:
- The Simpleweb [7]
- SNMPLink [8]
- SNMPWorld [9]
- comp.protocols.snmp SNMP FAQ [4]
A subset of the implementations was chosen as a sample set to be
tested during the test-suite creation and pre-release phases. Most
likely reasons for omission of a specific product from the sample set
include:
- no evaluation copy of product was available
- or evaluation copy had a restrictive licence prohibiting evaluation
- or we were not aware of the product
The injection vector survey, or delivery vector survey, analyses the
different methods of delivering the test-cases to the implementations
under test (IUT). Often, there are several methods of injection and
one test-suite cannot cover them all, or might miss some vectors not
available in all implementations.
Injection vector survey
Application protocol
| Transport protocol
| Packet
|
SNMPv1 Requests
| UDP (port 161)
| GetRequest/GetNextRequest/SetRequest PDUs to an agent
|
SNMPv1 Responses
| UDP
| Responses for Request PDUs
|
SNMPv1 Traps
| UDP (port 162)
| Trap-PDUs to a manager (trap listener)
|
The core specification(s) of the SNMPv1 protocol indicate that UDP
over IP is used to transfer SNMPv1 protocol data units (PDU) although
the mechanisms of the SNMP are generally suitable for use with a wide
variety of transport services. For example RFC1089, RFC1161 and
RFC1298 describe the means of transferring SNMPv1 messages over
protocols other than UDP over IP. However the UDP over IP is the most
used scheme. Hence, the selected UDP delivery vector should provide
successful injection of test-cases to all chosen implementations.
The SNMP architecture is illustrated in the figure below. The figure
identifies two major roles (Manager and Agent) and two communication
channels (UDP port 161 and UDP port 162).
Figure: Simplified SNMP architecture
SNMP managers can be anything from monolithic GUI based management
frameworks to individual console applications that communicate over
network using SNMPv1 protocol. There are also specific trap listeners
for logging and dispatching incoming trap event messages.
SNMP agents can either work alone or with sub-agents. When sub-agents
are present, the agent that listens for SNMPv1 requests from managers
is called a master agent. The master agent forwards a received request
to corresponding sub-agents. This communication may be done using a
special sub-agent protocol. If the sub-agent does not respond directly
to the requester, then the master agent may be involved in converting
the response into SNMPv1 and delivering it to the manager. The master
agent may be completely transparent to the manager.
"A master agent provides access to SNMP variables that may be provided
by one or more subagents. The master agent usually uses a subagent
protocol (AgentX, DPI, SMUX, EMANATE, ...) to interact with the
subagents. One of the key features of such an extensible agent is
that it is complete transparent to the manager." - SNMP FAQ
[4]
A SNMP proxy agent is an element capable of acting as gateway to the
other management agents. Proxies could be used to map different
management protocols and to pass through an application level
firewall.
"The current definition of a proxy SNMP agent is an agent which acts
like a gateway to other SNMP agents. This can be useful in order to
pass firewalls or to map SNMP protocol versions. Such a proxy is
however not transparent to the manager since the manager usually
has to select special parameters to address the target agent through
the proxy." - SNMP FAQ
[4]
Protocol data unit specifications are used as a basis for generating
the test-cases. Starting point for the design of the test-suite is to
acquire or create a machine-readable representation of the protocol
specification. The test-tool developed in this project uses a custom
dialect of BNF (Backus-Naur Form). The BNF is capable of
describing context-free syntax of a specification, but is not usually
enough for the PDU generation. The specification is completed by
semantic rules which semantically extend the BNF and
communication rules which provide communication channels
with external components. Rules are implemented in Java.
In this test-suite, a BNF presentation of SNMPv1 packet types was
needed. Since SNMPv1 specification uses ASN.1 notation, the relevant
ASN.1 specifications were manually converted into BNF.
An exceptional element is a piece of data designed to
provoke undesired behavior of the subject implementation. A single
test-case contains one or more exceptional elements. An exceptional
element can be illegal according to protocol specification, but often
it is legal or in the hazy region between legal and illegal
constructs. In a nutshell, an exceptional element is an input that
might not have been considered properly when implementing the
software.
ASN.1 Basic Encoding Rules (BER) are used along the SNMPv1
specification to resolve the actual representation of the PDUs.
Namely constructed types, field lengths, integers, strings and object
identifiers are encoded using BER.
The application logic of a SNMPv1 agent receives data objects from a
BER decoder, acts according the requests, and replies to the manager
though a BER encoder. A SNMPv1 manager sends requests and listens for
replies and trap messages. One might suppose that the use of ASN.1/BER
protects the application logic from malformed input. However, any
exceptional input which is correctly encoded will pass to the
application logic.
The following table lists the categories of the exceptional elements
designed for the test-material:
Exceptional element categories
Name
| Description
|
E-01
| Invalid BER length (L) fields. The first part of this group contains valid encodings of exceptional values, while the other part contains invalid length of length BER encodings
|
E-02
| Exceptional elements for Class tags: Universal, Application, Context-specific, Private
|
E-04
| Exceptional elements for BER's T fields number field
|
E-05
| Mostly invalid encodings for BER NULL type
|
E-06
| Mostly invalid encodings for BER BOOLEAN type
|
E-07
| Mostly invalid encodings for BER INTEGER type
|
E-08
| Mostly invalid encodings for BER OCTETSTRING type
|
E-09
| Mostly invalid encodings for BER BITSTRING type
|
E-10
| Mostly invalid encodings for BER SEQUENCE-OF type
|
E-11
| Mostly invalid encodings for BER SET-OF type
|
E-12
| Mostly invalid encodings for BER OBJECT-IDENTIFIER type
|
E-13
| Mostly invalid encodings for BER REAL type
|
E-14
| Mostly invalid encodings for BER ENUMERATED type
|
E-15
| Total garbage with semi correct BER encodings
|
E-16
| BER elements of PDU totally removed one at a time
|
E-17
| Invalid extra data inserted in different parts of the PDU
|
I-01
| Overflows with multiple zeroes and integer coded format strings
|
I-02
| Overflow integers: various very big integers from (+/-)1 to magnitudes (+/-)2^256 and above
|
I-03
| Large boundaric integer values (ie. (2^32)+-1, (2^64)+-1,...)
|
I-04
| SetRequest(3) and Trap(4) PDU types in SNMP messages are replaced with big integers (ie. (2^32)+3, (2^56)+3, (2^64)+3,...)
|
B-01
| Legal values (0x01 - 0x05) for ErrorStatus defined in RFC1157
|
O-01
| General overflow strings consisting of for example from long strings of character 'a'
|
O-02
| Long exceptional strings applied after community name public as VLAN name (ie. public@vlan0). Strings include multiples of 'a', "%s", '0', etc.
|
O-03
| Overflows with null terminator (0x00) inserted at their beginning
|
O-04
| Overflows with null terminator (0x00) inserted in their midst
|
F-01
| Format strings of type "%s", "%s%n%x", "%.999d", "*.*d" and their variants
|
F-02
| Community-specific format strings applied with community name public, ie. "public%s"
|
O-05
| Object-identifier exceptional elements. Very long OIDs, OIDs with extremely big (ie. negative) branches
|
O-06
| Object identifiers for sys.sysDescr, sys.sysName, if.ifNumber if.ifIndex with no, or invalid indexes
|
O-07
| multiple (empty) VarBind entries. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types
|
O-08
| multiple VarBind entries with short format string ("%s%s%s") as value. OIDs used in VarBind entries are if.ifIndex for Trap-PDU's and sys.sysName for other PDU types.
|
M-01
| Zero length (null) data applied as a value of every BER element of PDU
|
Legend:
- B: Bit pattern exceptions
- E: BER encoding exceptions
- F: Format string exceptions
- I: Integer value exceptions
- M: Missing symbol exceptions
- O: Overflow exceptions
In "Encoding Exceptions" (letter E), exceptional ASN.1/BER elements
are exercised. The purpose is to test the robustness of the BER
decoder of the tested SNMPv1 implementation.
In "Application Exceptions" (other letters), correctly formatted
ASN.1/BER elements contain exceptional data objects. The purpose is to
test the robustness of the application logic of the SNMPv1
implementation.
The tests are divided into four separate test-material packages. Each
test-material package consists of a certain amount of test-cases. The
test-cases are organized into test-groups so that similar kind of
cases reside in a same group. Details for each package are presented
below.
10601 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with
application exceptions
Test-groups in req-app
Name
| Category
| First index #
| Test-cases
|
zero-case-get-req
| valid
| 0
| 1
|
zero-case-get-next-req
| valid
| 1
| 1
|
zero-case-set-req
| valid
| 2
| 1
|
get-req-version-integer
| I-01, I-02, I-03
| 3
| 374
|
get-req-requestid-integer
| I-01, I-02, I-03
| 377
| 374
|
get-req-errorstatus-integer
| I-01, I-02, I-03
| 751
| 374
|
get-req-errorindex-integer-big
| B-01, I-01, I-02
| 1125
| 303
|
get-req-errorindex-integer-boundary
| B-01, I-03
| 1428
| 355
|
get-req-communityname-overflow
| O-01
| 1783
| 111
|
get-req-communityname-overflow-fmtstring
| F-01, F-02
| 1894
| 82
|
get-req-communityname-overflow-extra-null
| O-03, O-04
| 1976
| 109
|
get-req-communityname-vlan-overflow
| O-02
| 2085
| 244
|
get-req-varb-objectname-oid
| O-05
| 2329
| 64
|
get-req-varb-objectname-oid-with-fmtstring
| O-05, F-01
| 2393
| 64
|
get-req-varb-objectname-oid-invalid-index
| O-06
| 2457
| 88
|
get-req-varb-sysname-string-overflow
| O-01
| 2545
| 111
|
get-req-varb-sysname-string-overflow-fmtstring
| F-01
| 2656
| 36
|
get-req-varb-sysname-string-overflow-extra-null
| O-03, O-04
| 2692
| 109
|
get-req-varb-sysname-object-oid
| O-05
| 2801
| 64
|
get-req-varb-sysname-number-integer
| I-01, I-02, I-03
| 2865
| 374
|
get-req-varb-sysname-address-integer-small
| I-01
| 3239
| 33
|
get-req-varb-sysname-counter-integer
| I-01, I-02, I-03
| 3272
| 374
|
get-req-varb-sysname-gauge-integer
| I-01, I-02, I-03
| 3646
| 374
|
get-req-varb-sysname-timeticks-integer
| I-01, I-02, I-03
| 4020
| 374
|
get-req-varb-sysname-opaque-integer
| I-01, I-02, I-03
| 4394
| 374
|
get-req-varb-multiple
| O-07, O-08
| 4768
| 34
|
get-req-missing-data
| M-01
| 4802
| 15
|
getn-req-errorstatus-integer
| I-01, I-02, I-03
| 4817
| 374
|
getn-req-errorindex-integer-big
| B-01, I-01, I-02
| 5191
| 303
|
getn-req-errorindex-integer-boundary
| B-01, I-03
| 5494
| 355
|
getn-req-varb-objectname-oid
| O-05
| 5849
| 64
|
getn-req-varb-objectname-oid-with-fmtstring
| O-05, F-01
| 5913
| 64
|
getn-req-varb-objectname-oid-invalid-index
| O-06
| 5977
| 88
|
getn-req-varb-multiple
| O-07, O-08
| 6065
| 34
|
getn-req-missing-data
| M-01
| 6099
| 15
|
set-req-errorstatus-integer
| I-01, I-02, I-03
| 6114
| 374
|
set-req-errorindex-integer-big
| B-01, I-01, I-02
| 6488
| 303
|
set-req-errorindex-integer-boundary
| B-01, I-03
| 6791
| 355
|
set-req-communityname-overflow
| O-01
| 7146
| 111
|
set-req-communityname-overflow-fmtstring
| F-01, F-02
| 7257
| 82
|
set-req-communityname-overflow-extra-null
| O-03, O-04
| 7339
| 109
|
set-req-communityname-vlan-overflow
| O-02
| 7448
| 244
|
set-req-varb-objectname-oid
| O-05
| 7692
| 128
|
set-req-varb-objectname-oid-with-fmtstring
| O-05, F-01
| 7820
| 64
|
set-req-varb-objectname-oid-invalid-index
| O-06
| 7884
| 176
|
set-req-varb-sysdescr-string-overflow
| O-01
| 8060
| 111
|
set-req-varb-sysdescr-string-overflow-fmtstring
| F-01
| 8171
| 36
|
set-req-varb-sysdescr-string-overflow-extra-nul
| O-03, O-04
| 8207
| 109
|
set-req-varb-sysname-string-overflow
| O-01
| 8316
| 111
|
set-req-varb-sysname-string-overflow-fmtstring
| F-01
| 8427
| 36
|
set-req-varb-sysname-string-overflow-extra-null
| O-03, O-04
| 8463
| 109
|
set-req-varb-sysname-object-oid
| O-05
| 8572
| 64
|
set-req-varb-sysname-number-integer
| I-01, I-02, I-03
| 8636
| 374
|
set-req-varb-sysname-address-integer-small
| I-01
| 9010
| 33
|
set-req-varb-sysname-counter-integer
| I-01, I-02, I-03
| 9043
| 374
|
set-req-varb-sysname-gauge-integer
| I-01, I-02, I-03
| 9417
| 374
|
set-req-varb-sysname-timeticks-integer
| I-01, I-02, I-03
| 9791
| 374
|
set-req-varb-sysname-opaque-integer
| I-01, I-02, I-03
| 10165
| 374
|
set-req-varb-multiple
| O-07, O-08
| 10539
| 34
|
set-req-missing-data
| M-01
| 10573
| 15
|
set-req-request-type-shadow
| I-04
| 10588
| 13
|
Legend:
-
Name column presents the tag-names of the test-groups. Tags map in
some extent to field names in SNMPv1 PDUs defined in RFC1157. Tags can
be used to follow which parts of the PDU are being tested, and how.
For example, get-req-communityname-overflow indicates that
exceptional elements aiming to reveal buffer overflow vulnerabilities
are inserted to the Community-field of the GetRequest-PDU.
-
Category column describes which exceptional element categories are
integrated in the test-group. Ie. category O-01 in above example is
deduced from this column.
-
"Test-cases" and "First index #" columns describe how many test-cases
belong to the test-group, describing the first test-case number, and
the number of cases from there on.
18915 test-cases: GetRequest, GetNextRequest and SetRequest PDUs with
encoding exceptions
Test-groups in req-enc
Name
| Category
| First index #
| Test-cases
|
zero-case-get-req
| valid
| 0
| 1
|
zero-case-get-next-req
| valid
| 1
| 1
|
zero-case-set-req
| valid
| 2
| 1
|
get-req-ber-t-class
| E-02
| 3
| 76
|
get-req-ber-t-number
| E-04
| 79
| 516
|
get-req-ber-l-length
| E-01
| 595
| 1180
|
get-req-ber-tlv-NULL
| E-05
| 1775
| 288
|
get-req-ber-tlv-BOOLEAN
| E-06
| 2063
| 336
|
get-req-ber-tlv-INTEGER
| E-07
| 2399
| 360
|
get-req-ber-tlv-OCTETSTRING
| E-08
| 2759
| 264
|
get-req-ber-tlv-BITSTRING
| E-09
| 3023
| 264
|
get-req-ber-tlv-REAL
| E-13
| 3287
| 624
|
get-req-ber-tlv-OBJECT-IDENTIFIER
| E-12
| 3911
| 456
|
get-req-ber-tlv-SEQUENCE-OF
| E-10
| 4367
| 480
|
get-req-ber-tlv-SET-OF
| E-11
| 4847
| 384
|
get-req-ber-tlv-ENUMERATED
| E-14
| 5231
| 290
|
get-req-ber-tlv-noise
| E-15
| 5521
| 790
|
get-req-extra-data-inside
| E-17
| 6311
| 252
|
get-req-extra-data-inside-varbind
| E-17
| 6563
| 378
|
get-req-extra-data-outside
| E-17
| 6941
| 63
|
get-req-missing-field
| E-16
| 7004
| 11
|
getn-req-ber-t-class
| E-02
| 7015
| 68
|
getn-req-ber-t-number
| E-04
| 7083
| 430
|
getn-req-ber-l-length
| E-01
| 7513
| 1003
|
getn-req-ber-tlv-NULL
| E-05
| 8516
| 216
|
getn-req-ber-tlv-BOOLEAN
| E-06
| 8732
| 252
|
getn-req-ber-tlv-INTEGER
| E-07
| 8984
| 270
|
getn-req-ber-tlv-OCTETSTRING
| E-08
| 9254
| 192
|
getn-req-ber-tlv-BITSTRING
| E-09
| 9446
| 198
|
getn-req-ber-tlv-REAL
| E-13
| 9644
| 468
|
getn-req-ber-tlv-OBJECT-IDENTIFIER
| E-12
| 10112
| 342
|
getn-req-ber-tlv-SEQUENCE-OF
| E-10
| 10454
| 360
|
getn-req-ber-tlv-SET-OF
| E-11
| 10814
| 288
|
getn-req-ber-tlv-ENUMERATED
| E-14
| 11102
| 261
|
getn-req-ber-tlv-noise
| E-15
| 11363
| 711
|
getn-req-extra-data-inside
| E-17
| 12074
| 252
|
getn-req-extra-data-inside-varbind
| E-17
| 12326
| 378
|
getn-req-extra-data-outside
| E-17
| 12704
| 63
|
getn-req-missing-field
| E-16
| 12767
| 9
|
set-req-ber-t-class
| E-02
| 12776
| 68
|
set-req-ber-t-number
| E-04
| 12844
| 430
|
set-req-ber-l-length
| E-01
| 13274
| 1003
|
set-req-ber-tlv-NULL
| E-05
| 14277
| 216
|
set-req-ber-tlv-BOOLEAN
| E-06
| 14493
| 252
|
set-req-ber-tlv-INTEGER
| E-07
| 14745
| 270
|
set-req-ber-tlv-OCTETSTRING
| E-08
| 15015
| 192
|
set-req-ber-tlv-BITSTRING
| E-09
| 15207
| 198
|
set-req-ber-tlv-REAL
| E-13
| 15405
| 468
|
set-req-ber-tlv-OBJECT-IDENTIFIER
| E-12
| 15873
| 342
|
set-req-ber-tlv-SEQUENCE-OF
| E-10
| 16215
| 360
|
set-req-ber-tlv-SET-OF
| E-11
| 16575
| 288
|
set-req-ber-tlv-ENUMERATED
| E-14
| 16863
| 261
|
set-req-ber-tlv-noise
| E-15
| 17124
| 711
|
set-req-extra-data-inside
| E-17
| 17835
| 252
|
set-req-extra-data-inside-varbind
| E-17
| 18087
| 756
|
set-req-extra-data-outside
| E-17
| 18843
| 63
|
set-req-missing-field
| E-16
| 18906
| 9
|
Legend: [see first test-group table above]
15323 test-cases: Trap PDUs with application exceptions
Test-groups in trap-app
Name
| Category
| First index #
| Test-cases
|
trap-coldstart-valid
| valid
| 0
| 1
|
trap-warmstart-valid
| valid
| 1
| 1
|
trap-linkdown-valid
| valid
| 2
| 1
|
trap-linkup-valid
| valid
| 3
| 1
|
trap-authenticationfailure-valid
| valid
| 4
| 1
|
trap-egbneighborloss-valid
| valid
| 5
| 1
|
trap-request-type-shadow
| I-04
| 6
| 13
|
trap-version-integer
| I-01, I-02, I-03
| 19
| 284
|
trap-communityname-overflow
| O-01
| 303
| 111
|
trap-communityname-overflow-fmtstring
| F-01, F-02
| 414
| 82
|
trap-communityname-overflow-extra-null
| O-03, O-04
| 496
| 79
|
trap-communityname-vlan-overflow
| O-02
| 575
| 244
|
trap-enterprise-oid
| O-05
| 819
| 64
|
trap-enterprise-oid-invalid-index
| O-06
| 883
| 86
|
trap-agent-addr-integer
| I-01, I-02, I-03
| 969
| 284
|
trap-generic-trap-integer
| I-01, I-02, I-03
| 1253
| 284
|
trap-specific-trap-integer
| I-01, I-02, I-03
| 1537
| 284
|
trap-time-stamp-integer
| I-01, I-02, I-03
| 1821
| 284
|
trap-start-varb-objectname-oid
| O-05
| 2105
| 128
|
trap-start-varb-objectname-oid-invalid-index
| O-06
| 2233
| 172
|
trap-start-varb-objectsyntax-string-overflow
| O-01
| 2405
| 222
|
trap-start-varb-objectsyntax-string-overflow-fmtstring
| F-01
| 2627
| 72
|
trap-start-varb-objectsyntax-string-overflow-extra-null
| O-03, O-04
| 2699
| 158
|
trap-start-varb-objectsyntax-object-oid
| O-05
| 2857
| 128
|
trap-start-varb-objectsyntax-number-integer
| I-01, I-02, I-03
| 2985
| 568
|
trap-start-varb-objectsyntax-networkaddress-integer
| I-01, I-02, I-03
| 3553
| 568
|
trap-start-varb-objectsyntax-counter-integer
| I-01, I-02, I-03
| 4121
| 568
|
trap-start-varb-objectsyntax-gauge-integer
| I-01, I-02, I-03
| 4689
| 568
|
trap-start-varb-objectsyntax-timeticks-integer
| I-01, I-02, I-03
| 5257
| 568
|
trap-start-varb-objectsyntax-opaque-integer
| I-01, I-02, I-03
| 5825
| 568
|
trap-start-varb-multiple
| O-07, O-08
| 6393
| 68
|
trap-start-missing-data
| M-01
| 6461
| 32
|
trap-link-varb-objectname-oid
| O-05
| 6493
| 128
|
trap-link-varb-objectname-oid-invalid-index
| O-06
| 6621
| 172
|
trap-link-varb-objectsyntax-string-overflow
| O-01
| 6793
| 224
|
trap-link-varb-objectsyntax-string-overflow-fmtstring
| F-01
| 7017
| 72
|
trap-link-varb-objectsyntax-string-overflow-extra-null
| O-03, O-04
| 7089
| 158
|
trap-link-varb-objectsyntax-object-oid
| O-05
| 7247
| 128
|
trap-link-varb-objectsyntax-number-integer
| I-01, I-02, I-03
| 7375
| 568
|
trap-link-varb-objectsyntax-networkaddress-integer
| I-01, I-02, I-03
| 7943
| 568
|
trap-link-varb-objectsyntax-counter-integer
| I-01, I-02, I-03
| 8511
| 568
|
trap-link-varb-objectsyntax-gauge-integer
| I-01, I-02, I-03
| 9079
| 568
|
trap-link-varb-objectsyntax-timeticks-integer
| I-01, I-02, I-03
| 9647
| 568
|
trap-link-varb-objectsyntax-opaque-integer
| I-01, I-02, I-03
| 10215
| 568
|
trap-link-varb-multiple
| O-07, O-08
| 10783
| 68
|
trap-link-missing-data
| M-01
| 10851
| 32
|
trap-authfail-varb-objectname-oid
| O-05
| 10883
| 64
|
trap-authfail-varb-objectname-oid-invalid-index
| O-06
| 10947
| 86
|
trap-authfail-varb-objectsyntax-string-overflow
| O-01
| 11033
| 112
|
trap-authfail-varb-objectsyntax-string-overflow-fmtstring
| F-01
| 11145
| 36
|
trap-authfail-varb-objectsyntax-string-overflow-extra-null
| O-03, O-04
| 11181
| 79
|
trap-authfail-varb-objectsyntax-object-oid
| O-05
| 11260
| 64
|
trap-authfail-varb-objectsyntax-number-integer
| I-01, I-02, I-03
| 11324
| 284
|
trap-authfail-varb-objectsyntax-networkaddress-integer
| I-01, I-02, I-03
| 11608
| 284
|
trap-authfail-varb-objectsyntax-counter-integer
| I-01, I-02, I-03
| 11892
| 284
|
trap-authfail-varb-objectsyntax-gauge-integer
| I-01, I-02, I-03
| 12176
| 284
|
trap-authfail-varb-objectsyntax-timeticks-integer
| I-01, I-02, I-03
| 12460
| 284
|
trap-authfail-varb-objectsyntax-opaque-integer
| I-01, I-02, I-03
| 12744
| 284
|
trap-authfail-varb-multiple
| O-07, O-08
| 13028
| 34
|
trap-authfail-missing-data
| M-01
| 13062
| 16
|
trap-neighloss-varb-objectname-oid
| O-05
| 13078
| 64
|
trap-neighloss-varb-objectname-oid-invalid-index
| O-06
| 13142
| 86
|
trap-neighloss-varb-objectsyntax-string-overflow
| O-01
| 13228
| 112
|
trap-neighloss-varb-objectsyntax-string-overflow-fmtstring
| F-01
| 13340
| 36
|
trap-neighloss-varb-objectsyntax-string-overflow-extra-null
| O-03, O-04
| 13376
| 79
|
trap-neighloss-varb-objectsyntax-object-oid
| O-05
| 13455
| 64
|
trap-neighloss-varb-objectsyntax-number-integer
| I-01, I-02, I-03
| 13519
| 284
|
trap-neighloss-varb-objectsyntax-networkaddress-integer
| I-01, I-02, I-03
| 13803
| 284
|
trap-neighloss-varb-objectsyntax-counter-integer
| I-01, I-02, I-03
| 14087
| 284
|
trap-neighloss-varb-objectsyntax-gauge-integer
| I-01, I-02, I-03
| 14371
| 284
|
trap-neighloss-varb-objectsyntax-timeticks-integer
| I-01, I-02, I-03
| 14655
| 284
|
trap-neighloss-varb-objectsyntax-opaque-integer
| I-01, I-02, I-03
| 14939
| 284
|
trap-neighloss-varb-multiple
| O-07, O-08
| 15223
| 34
|
trap-neighloss-missing-data
| M-01
| 15257
| 16
|
trap-enterprise-varb-multiple
| O-07, O-08
| 15273
| 34
|
trap-enterprise-missing-data
| M-01
| 15307
| 16
|
Legend: [see first test-group table above]
8777 test-cases: Trap PDUs with encoding exceptions
Test-groups in trap-enc
Name
| Category
| First index #
| Test-cases
|
trap-coldstart-valid
| valid
| 0
| 1
|
trap-warmstart-valid
| valid
| 1
| 1
|
trap-linkdown-valid
| valid
| 2
| 1
|
trap-linkup-valid
| valid
| 3
| 1
|
trap-authenticationfailure-valid
| valid
| 4
| 1
|
trap-egbneighborloss-valid
| valid
| 5
| 1
|
trap-ber-t-class
| E-02
| 6
| 84
|
trap-ber-t-number
| E-04
| 90
| 559
|
trap-ber-l-length
| E-01
| 649
| 1298
|
trap-ber-tlv-NULL
| E-05
| 1947
| 312
|
trap-ber-tlv-BOOLEAN
| E-06
| 2259
| 364
|
trap-ber-tlv-INTEGER
| E-07
| 2623
| 390
|
trap-ber-tlv-OCTETSTRING
| E-08
| 3013
| 312
|
trap-ber-tlv-BITSTRING
| E-09
| 3325
| 286
|
trap-ber-tlv-REAL
| E-13
| 3611
| 676
|
trap-ber-tlv-OBJECT-IDENTIFIER
| E-12
| 4287
| 494
|
trap-ber-tlv-SEQUENCE-OF
| E-10
| 4781
| 520
|
trap-ber-tlv-SET-OF
| E-11
| 5301
| 416
|
trap-ber-tlv-ENUMERATED
| E-14
| 5717
| 348
|
trap-ber-tlv-noise
| E-15
| 6065
| 936
|
trap-extra-data-inside
| E-17
| 7001
| 756
|
trap-extra-data-inside-varbind
| E-17
| 7757
| 756
|
trap-extra-data-outside
| E-17
| 8513
| 252
|
trap-missing-field
| E-16
| 8765
| 12
|
Legend: [see first test-group table above]
All test-cases have been initialized with default values listed below.
One or more of the listed values are altered when exceptional elements
are applied to the PDU.
Default values used in req-app and req-enc:
- Version: 0
- Community: "public"
- PDU-Type: GetRequest | GetNextRequest | SetRequest
- RequestID: test-case index
- ErrorStatus: 0
- ErrorIndex: 0
- Single VarBind:
- ObjectName: sys.SysName (1.3.6.1.2.1.1.5.0)
- ObjectSyntax: empty (GetRequest, GetNextRequest) | 'c06-snmpv1'
(SetRequest)
Default values used in trap-app and trap-enc:
- Version: 0
- Community: "public"
- PDU-Type: Trap
- Enterprise: unix.agents.fourBSD-isode.21 (1.3.6.1.4.1.4.1.2.21)
- Agent-addr: 127.0.0.1
- Generic-trap: ColdStart (0x00)
- Specific-trap: 0x00
- Time-stamp: test-case index
- Single VarBind:
- ObjectName: if.ifNumber (1.3.6.1.2.1.2.1.0)
- ObjectSyntax: 0x21
The test-tool provides communication rules for test-case
injection. SNMPv1 PDUs can be injected using a simple UDP
injector. Optionally, responses from the subject can be monitored.
The test-tool provides semantic rules as method for
augmenting the (already extended) BNF specification.
SNMPv1 requires use of the basic encoding rules (BER) for
formatting octets sent over the UDP over IP connection. BER is a
simple encoding method and can be modeled with BNF except for the
length fields. Semantic rules for encoding/decoding BER Integers and
Object-Identifiers were developed for this test-suite.
With instrumentation on the target platform we are able to monitor for
undesired behavior of the subject implementation. Typically this
manifests as exceptions or signals such as 'access violation' or
'segmentation fault'. Unfortunately, the modern trend of abusing the
try-catch -type of constructs easily masks the exceptions
generated by stack and memory corruption. Catching these hidden
exceptions relies on the debugging skills of the developers
themselves.
Zero-case instrumentation will be bundled with the test-material. In
this rather crude method, a valid PDU (zero-case) that should result
in a valid reply is sent to the subject between real test-cases until
a response is received. Hence, if no response from the subject is
detected, it has failed. This method is especially convenient when
testing black-box hardware implementations. Unfortunately, zero-case
instrumentation is not available with Trap-PDUs since implementations
should never reply to the received traps.
Test-runs were conducted against the chosen set of sample
implementations. Specifications, exceptional elements, semantic
rules, injectors and instrumentation were integrated as a test-tool
configuration to enable automatic execution of the tests.
Results from the test-runs are summarised herein. Tables below
represent the observations from feeding the test-material against the
chosen subject software. Product names of the actual subjects are
omitted to protect the innocent. Results are presented in a tabular
form with test-cases divided into test-groups based on the exceptional
element types utilised and PDU fields under examination.
Each failed test-case represents at minimum a denial of service type
chance of exploiting the found vulnerability. In most cases, they
represent memory corruption, stack corruption or other fatal error
conditions. Some of these may lead exposure to typical buffer
overflow exploits, allowing running of arbitrary code or modification
of the target system.
The recommendations for securing SNMP implementations presented in the
Analysis section were tried against each
sample implementation when suitable.
Changing the community name worked only for some implementations, but
not especially for those which had problems with exceptional community
names. Network access control was soon discovered to be insufficient
since UDP source address can be easily spoofed. Disabling the SNMP
functionality worked usually when there was a possibility to do
so. However, there was one implementation that continued to receive
SNMP packets even after SNMP was disabled. It did not respond to valid
SNMP requests, but crashed when certain test-cases were injected. All
sample implementations accepted SNMPv1 packets sent to the network
broadcast address, this is most likely due to nature of the typical
bind() usage with INADDR_ANY address.
In this test-suite, the 'failed' status is granted if
any of the following criteria are met and a single test-case can be
identified to be responsible of it:
-
A fatal failure is triggered in a device causing it to stop
functioning normally
-
A SNMP process or a device crashes or hangs and needs to be restarted
manually
-
A SNMP process or a device crashes and restarts automatically
-
A SNMP process consumes almost all CPU and/or memory resources for an
exceptionally long or indefinite time
If no single test-case can be identified but similar effects are
observed, the status is 'inconclusive'.
If the 'failed' status happens to be independent of SNMP community
names, it is upgraded to 'failed unconditionally'.
This is the worst status that can be given.
In some cases, the subject gets corrupted so badly or is fundamentally
so instable that there is no way to collect accurate test-results for
the whole test-run. The untested regions are marked as
'unknown'.
Otherwise, the status is 'passed'.
These tables show how effective different test-groups were in the
test-runs. A test-group is marked failed if any single case or
combination of cases cause the subject to fail. Note that if a
subject fails in a format string (fmtstring) test-group, the failure
may be triggered by a very long format string causing an overflow
condition. Should implementation have failed format string category,
but not previous overflow category, then implementation is more or
very likely to contain real format string type of vulnerability.
Observed failures for req-app test-groups
Test-group / Test-run #
| 001
| 002
| 003
| 004
| 005
| 006
| 007
| 008
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
get-req-communityname-overflow
| -
| -
| U
| -
| -
| U
| -
| -
|
get-req-communityname-overflow-fmtstring
| -
| -
| U
| -
| -
| U
| -
| -
|
get-req-communityname-overflow-extra-null
| -
| -
| U
| -
| -
| U
| -
| -
|
get-req-communityname-vlan-overflow
| -
| -
| -
| -
| -
| U
| -
| -
|
get-req-varb-objectname-oid
| X
| -
| -
| U
| -
| -
| X
| -
|
get-req-varb-objectname-oid-with-fmtstring
| X
| -
| -
| U
| -
| -
| X
| -
|
get-req-varb-objectname-oid-invalid-index
| I
| -
| -
| -
| -
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
get-req-varb-sysname-object-oid
| -
| -
| -
| U
| -
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
get-req-varb-multiple
| X
| -
| -
| -
| -
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
getn-req-varb-objectname-oid
| X
| -
| -
| U
| -
| -
| X
| -
|
getn-req-varb-objectname-oid-with-fmtstring
| X
| -
| -
| U
| -
| -
| X
| -
|
getn-req-varb-objectname-oid-invalid-index
| I
| -
| -
| -
| -
| -
| -
| -
|
getn-req-varb-multiple
| X
| -
| -
| -
| -
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
set-req-communityname-overflow
| -
| -
| U
| -
| -
| U
| -
| -
|
set-req-communityname-overflow-fmtstring
| -
| -
| U
| -
| -
| U
| -
| -
|
set-req-communityname-overflow-extra-null
| -
| -
| U
| -
| -
| U
| -
| -
|
set-req-communityname-vlan-overflow
| -
| -
| -
| -
| -
| U
| -
| -
|
set-req-varb-objectname-oid
| -
| -
| -
| U
| -
| -
| -
| -
|
set-req-varb-objectname-oid-with-fmtstring
| -
| -
| -
| U
| -
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
set-req-varb-sysname-object-oid
| -
| -
| -
| U
| -
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
Legend:
-
nnn: Each different test-run (tr-nnn) represents a different tested
implementation.
-
X: Verdict is failed
-
U: Verdict is failed unconditionally (no need-to-know a valid community name)
-
I: Verdict is inconclusive
-
-: Verdict is passed
Observed failures for req-enc test-groups
Test-group / Test-run #
| 001
| 002
| 003
| 004
| 005
| 006
| 007
| 008
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
get-req-ber-l-length
| -
| -
| U
| -
| X
| -
| U
| U
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
get-req-ber-tlv-OBJECT-IDENTIFIER
| -
| -
| -
| -
| -
| -
| X
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
get-req-ber-tlv-noise
| -
| -
| -
| -
| -
| -
| X
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
getn-req-ber-l-length
| -
| -
| U
| -
| X
| -
| X
| U
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
getn-req-ber-tlv-OBJECT-IDENTIFIER
| -
| -
| -
| -
| -
| -
| X
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
getn-req-ber-tlv-noise
| -
| -
| -
| -
| -
| -
| X
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
set-req-ber-t-number
| -
| -
| U
| -
| -
| -
| -
| -
|
set-req-ber-l-length
| -
| -
| U
| -
| X
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
set-req-ber-tlv-BITSTRING
| -
| -
| U
| -
| -
| -
| -
| -
|
...
| .
| .
| .
| .
| .
| .
| .
| .
|
Legend: [see first result table above]
Observed failures for trap-app test-groups
Test-group / Test-run #
| 009
| 010
| 011
| 012
|
...
| .
| .
| .
| .
|
trap-enterprise-oid
| -
| -
| -
| I
|
...
| .
| .
| .
| .
|
trap-start-varb-objectsyntax-string-overflow
| -
| U
| U
| -
|
...
| .
| .
| .
| .
|
trap-start-varb-objectsyntax-string-overflow-extra-null
| -
| U
| -
| -
|
trap-start-varb-objectsyntax-object-oid
| U
| -
| -
| -
|
...
| .
| .
| .
| .
|
trap-start-varb-objectsyntax-opaque-integer
| -
| U
| U
| -
|
trap-start-varb-multiple
| U
| U
| -
| -
|
...
| .
| .
| .
| .
|
trap-link-varb-objectsyntax-string-overflow
| -
| U
| U
| -
|
...
| .
| .
| .
| .
|
trap-link-varb-objectsyntax-string-overflow-extra-null
| -
| U
| -
| -
|
trap-link-varb-objectsyntax-object-oid
| U
| -
| -
| -
|
...
| .
| .
| .
| .
|
trap-link-varb-objectsyntax-opaque-integer
| -
| U
| U
| -
|
trap-link-varb-multiple
| U
| U
| -
| -
|
...
| .
| .
| .
| .
|
trap-authfail-varb-objectsyntax-string-overflow
| -
| U
| U
| -
|
...
| .
| .
| .
| .
|
trap-authfail-varb-objectsyntax-string-overflow-extra-null
| -
| U
| -
| -
|
trap-authfail-varb-objectsyntax-object-oid
| U
| -
| -
| -
|
...
| .
| .
| .
| .
|
trap-authfail-varb-objectsyntax-opaque-integer
| -
| U
| U
| -
|
trap-authfail-varb-multiple
| U
| U
| -
| -
|
...
| .
| .
| .
| .
|
trap-neighloss-varb-objectsyntax-string-overflow
| -
| U
| U
| -
|
...
| .
| .
| .
| .
|
trap-neighloss-varb-objectsyntax-string-overflow-extra-null
| -
| U
| -
| -
|
trap-neighloss-varb-objectsyntax-object-oid
| U
| -
| -
| -
|
...
| .
| .
| .
| .
|
trap-neighloss-varb-objectsyntax-opaque-integer
| -
| U
| U
| -
|
trap-neighloss-varb-multiple
| U
| U
| -
| -
|
...
| .
| .
| .
| .
|
trap-enterprise-varb-multiple
| U
| U
| -
| -
|
...
| .
| .
| .
| .
|
Legend: [see first result table above]
Observed failures for trap-enc test-groups
Test-group / Test-run #
| 009
| 010
| 011
| 012
|
trap-ber-t-class
| -
| -
| U
| -
|
trap-ber-t-number
| -
| -
| U
| -
|
trap-ber-l-length
| U
| -
| U
| -
|
...
| .
| .
| .
| .
|
trap-ber-tlv-BOOLEAN
| -
| -
| U
| I
|
...
| .
| .
| .
| .
|
trap-ber-tlv-OCTETSTRING
| -
| U
| -
| -
|
trap-ber-tlv-BITSTRING
| -
| U
| U
| -
|
trap-ber-tlv-REAL
| -
| -
| U
| -
|
trap-ber-tlv-OBJECT-IDENTIFIER
| -
| U
| -
| -
|
trap-ber-tlv-SEQUENCE-OF
| -
| U
| U
| I
|
trap-ber-tlv-SET-OF
| -
| U
| U
| -
|
trap-ber-tlv-ENUMERATED
| -
| -
| U
| I
|
trap-ber-tlv-noise
| -
| -
| U
| -
|
...
| .
| .
| .
| .
|
Legend: [see first result table above]
The results are further summarised in the tables below.
Results summary for req-app
Test-run #
| Total test-cases
| Failed test-cases
| Total groups
| Failed groups
|
tr-001
| 10601
| N
| 61
| 8
|
tr-002
| 10601
| 0
| 61
| 0
|
tr-003
| 10601
| 13
| 61
| 6
|
tr-004
| 10601
| 16
| 61
| 8
|
tr-005
| 10601
| 0
| 61
| 0
|
tr-006
| 10601
| 224
| 61
| 8
|
tr-007
| 10601
| 57
| 61
| 4
|
tr-008
| 10601
| 0
| 61
| 0
|
Legend:
-
N: We were unable to determine the exact number of failures. See the
more detailed tables above.
Results summary for req-enc
Test-run #
| Total test-cases
| Failed test-cases
| Total groups
| Failed groups
|
tr-001
| 18915
| 0
| 57
| 0
|
tr-002
| 18915
| 0
| 57
| 0
|
tr-003
| 18915
| N
| 57
| 5
|
tr-004
| 18915
| 0
| 57
| 0
|
tr-005
| 18915
| 4
| 57
| 3
|
tr-006
| 18915
| 0
| 57
| 0
|
tr-007
| 18915
| N
| 57
| 5
|
tr-008
| 18915
| 10
| 57
| 2
|
Legend: [see first summary table above]
Results summary for trap-app
Test-run #
| Total test-cases
| Failed test-cases
| Total groups
| Failed groups
|
tr-009
| 15323
| N
| 76
| 9
|
tr-010
| 15323
| 166
| 76
| 17
|
tr-011
| 15323
| 12
| 76
| 8
|
tr-012
| 15323
| N
| 76
| 1
|
Legend: [see first summary table above]
Results summary for trap-enc
Test-run #
| Total test-cases
| Failed test-cases
| Total groups
| Failed groups
|
tr-009
| 8777
| 5
| 24
| 1
|
tr-010
| 8777
| 24
| 24
| 5
|
tr-011
| 8777
| N
| 24
| 10
|
tr-012
| 8777
| N
| 24
| 3
|
Legend: [see first summary table above]
To support the vulnerability reporting process, typically one exploit
per implementation is refined and included in the respective
vulnerability report. The exploit is only intended for demonstration
purposes and is harmless as it is. Simplest of them only executes some
harmless commands in the target system, typically with the privileges
of the vulnerable process. Some only provide a demonstration by
causing a Denial of Service (DoS) against the software.
Buffer overflow exploits allowing execution of arbitrary code were
demonstrated against:
-
One SNMP master agent bundled in an embedded firewall and VPN appliance
-
Two SNMP master agents bundled as part of the operating systems in question
-
One SNMP trap listener bundled as part of the operating system in question
-
Two add-on trap listeners available as parts of SNMP management
frameworks
In the initial set of the tested products, denial of service was
demonstrated for the remaining master agents (three network devices)
and one trap listener (management framework) identified as vulnerable.
The test-material is distributed as four JAR packages, two for
Request-PDUs (GetRequest, GetNextRequest and SetRequest) and two for
Trap-PDUs. Of the two JAR packages for given PDU type one contains the
application part and the other the BER encoding part of
test-cases. Each package comprises of the following elements:
-
Test-cases (PDUs), located in
testcases/ directory
-
Java code (source and compiled) for feeding the test-cases against
the system under test
-
LICENSE.TXT
- GNU General Public License (GPL) version 2
-
README.TXT
- Short instructions
The test-material is licensed under GNU General Public License (GPL)
version 2, at no charge. This is done in order to ensure that vendors
and their customers may freely utilise the test-material. Standard
GPL terms for no warranty and no liability apply.
We recommend some additional guidelines, although these do not
restrict the test-material licence. These guidelines can
be found from the
"test-suite releases in Theory and Practice"
document.
A prerequisite for using the test-material is a properly configured
SNMPv1 implementation, preferably not in an open network.
The test-material can be used either with the bundled injection code
[Using with Java] or with an external
injector [Using single test-cases].
Java Runtime is a prerequisite for running the bundled Java code.
This package has been tested on Java 2 Platform, Standard
Edition (J2SE ). [10]
Usage examples for the injection code bundled in the JAR packages:
-
java -jar c06-snmpv1-req-app-r1.jar -help
-
This command displays the built-in help for the available command line
options. Options such as selecting the zero-case instrument, a
specific range of test-cases, showing the reply from subject or
non-standard destination port are high-lighted therein.
-
java -jar c06-snmpv1-req-app-r1.jar -host hostname
-single <index> -showreply
-
Send the req-app test-case index into SNMP server
hostname port 161 and show reply from the server (if
any). Please note that -showreply is not relevant with SNMP
traps.
-
java -jar c06-snmpv1-req-app-r1.jar -host hostname -delay 1000
-
Send all req-app test-cases into SNMP server hostname port
161 with a delay of 1000 milliseconds between each case.
-
java -jar c06-snmpv1-req-app-r1.jar -host hostname -zerocase
-
Run all req-app test-cases into SNMP server hostname port
161. A valid zero-case (test-case# 0) is injected between the real
test-cases and a reply to it is awaited for. Please note that
-zerocase switch works only with Request-PDUs, SNMPv1 trap
handling does not involve responses.
The test-cases (PDUs) are in raw binary format and can be used by any
suitable delivery software, such as nc (netcat). The individual
test-cases can be extracted from the JAR package with tools such as
unzip, Winzip or jar. Refer to the manual pages and product
documentation of the respective tools for additional information.
These JAR packages contain the req-app and req-enc test-material and
the corresponding PGP signatures.
These JAR packages contain the trap-app and trap-enc test-material
and the corresponding PGP signatures.
Be sure to check which PDU types the subject accepts. Zero-case
instrument requires that the subject has a properly configured
'public' SNMP read community. Otherwise the subject
will not respond to valid test-cases. However, if you want to test a
subject with a different community, the default zero-case (test-case#
0) can be replaced. Using a hex editor, 'public' can be changed to
'foobar' and because they have the same length, the packet validity is
preserved. Remember that zero-case instrumentation works only with
Request-PDU packages, because SNMP traps are never replied to.
For the best possible replication of results gathered by us, request
JAR test-cases should be ran using switches -zerocase and
-showreply. For the trap JARs no additional switches except for the
-host should be used. This ensures that timeouts and configuration
options match as far as possible those used in our test-runs. As
mentioned earlier, community name 'public' was used as
read community and no write community was defined.
Sending test-cases with different timeouts, in different order and so
on may reveal error modes we did not notice. Also, setting write
community to public or read community to something other than public
are likely to have significant effect on results and possible error
modes observed.
The initial results from the c06-snmpv1 tests indicate that
implementation errors plague several SNMP products. None from the
sample of twelve implementations survived the test-material. This is
most alarming since SNMPv1 is widely used in critical parts of network
infrastructure.
Attempts to secure the sample implementations from the found
vulnerabilities produced various results. Applying device based access
control to SNMP traffic was mostly useless since spoofing the UDP
source address is simple. All sample implementations by default
accepted SNMP packets sent to the network broadcast address, and this
lessens the effort needed to exploit the vulnerabilities. A potential
attacker does not need to know the actual IP-addresses of his targets
and can in worst case use a single broadcast packet to compromise a
whole network without ever having to find out a valid SNMP community
name. In some cases, SNMP could not be fully disabled and there was no
other way to secure an implementation than to plug it off the network.
Since the test-material can discover only a fraction of potential
implementation errors, it is likely that we have simply touched the tip
of the iceberg. We hope that a wide adoption of this test-suite will
raise the overall quality of SNMP products and will help implementors
to fix also those vulnerabilities not directly addressed by it.
We wish to express our gratitude to individual vendors who worked with
us to protect their customers. We are in debt to
Sonera Corporation for providing
us facilities and support in determing the impact of the
test-suite. Last, but not least, we are grateful to
CERT/CC for their patient help,
advice and active role during the vulnerability process. We admire
CERT/CC's ability and sacrifice in handling the complexity of the
issue, number of the vendors involved and the resulting flood of
communication during extended time-frame spanning several months.
The most common sources for vulnerability information and exploits
were covered and cross checked for potential and already known
vulnerabilities in the implementations of the chosen protocol. Typical
sources for finding out about existing vulnerabilities are databases
and mailing-lists. Search-engines may also reveal information on past
vulnerabilities.
During the prerelease phase all verified vulnerabilities were reported
to the respective vendors. The vulnerability reports were tracked by
the CERT/CC in role of an independent coordinator and advisor.
[11] Due to potentially large number of vendors
affected, an attempt to establish a channel for discussion and
test-material distribution was made with CERT/CC.
Vendor statements or security advisories issued in order to address
the vulnerabilities uncovered by this test-suite are
collected. Advisories that we are aware of are listed here-in:
-
[CERT/CC 2002-02-12]
CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol (SNMP)
-
- [1]
-
"Open Directory Project : Top : Computers : Internet : Protocols".
Open directory project.
http://dmoz.org/Computers/Internet/Protocols/desc.html.
-
- [2]
-
Case, J; Fedor, M; Schoffstall, M & Davin J.
(1990).
"A Simple Network Management Protocol (SNMP)".
The Internet Engineering Task Force.
http://www.ietf.org/rfc/rfc1157.txt.
-
- [3]
-
"The Internet Engineering Task Force".
http://www.ietf.org/.
-
- [4]
-
"comp.protocols.snmp SNMP FAQ".
http://www.faqs.org/faqs/snmp-faq/.
-
- [5]
-
Stevens, Richard W.
TCP/IP Illustrated, Volume 1.
(1994).
Addison-Wesley.
ISBN: 0-201-63346-9.
-
- [6]
-
Larmouth, John.
ASN.1 Complete.
(1999).
Morgan Kaufmann.
http://www.oss.com/asn1/larmouth.html.
ISBN: 0-12233-435-3.
-
- [7]
-
"The SimpleWeb".
http://www.simpleweb.org/.
-
- [8]
-
"SNMPLink.org".
http://www.snmplink.org/.
-
- [9]
-
"SNMPWorld".
http://silver.he.net/~rrg/snmpworld.htm.
-
- [10]
-
"Java 2 Platform, Standard Edition (J2SE)".
http://java.sun.com/j2se/1.3/.
-
- [11]
-
"CERT/CC".
http://www.cert.org/.
As part of the analysis for the PROTOS c06-snmpv1 test-suite, some
guidelines for securing specific SNMP implementations were reviewed.
-
Securing SNMP on Solaris
-
http://ist.uwaterloo.ca/security/howto/2000-10-04/
-
Securing SNMP in Windows
-
http://www.sans.org/infosecFAQ/incident/SNMP.htm
-
Securing your Cisco Router when using SNMP
-
http://www.sans.org/infosecFAQ/netdevices/router.htm
-
SNMP - simple management tool for hackers?
-
http://www.nwfusion.com/newsletters/sec/1004sec1.html
-
Windows 2000, SNMP and Security
-
http://www.securityfocus.com/focus/microsoft/2k/snmp.html
A survey of other existing test-suites related to SNMP was conducted.
The found test-suites focused on rather semantical issues, with no or
only some syntax testing material.
-
http://www.iwl.com
"InterWorking Labs provides SilverCreek(R), the SNMP Test-Suite, for
software engineers to find and fix bugs in their SNMP agent
implementations. With nearly 1,000 tests available for SNMPv1, v2, v3,
and semantic tests for RMON1, RMON2, and the Printer MIB, InterWorking
Labs has revolutionised the process of testing network products."
-
http://www.smplsft.com/stest.html
"SimpleTester is an easy to use test tool that automatically tests
SNMPv1, SNMPv2C and SNMPv3 agents. Using this tool you can
exhaustively test agents implementing standard and enterprise specific
MIBs within minutes. Over 800 semantic validation tests for popular
MIBs like MIB-II, mini-RMON and SNMPv3 are included with source
code. Utilities like MIB browser, Trap Checker and Script Generator,
along with scripting support for Telnet and Serial I/O is also
present."
[This page is CSS2 enabled. Your browser might not fully support it]
|