Thursday, 23 October 2008 : Routers from Cisco, susceptible to a vulnerability known as SNMP injection
ProCheckUp have found a large number of devices such as routers from the popular vendor Cisco, to be susceptible to a vulnerability known as SNMP injection. The technique which was discovered by Adrian Pastor of ProCheckUp allows attackers to elevate privileges for the purpose fully compromising the target device.
ProCheckUp surveyed devices from vendors such as Cisco, Proxim, 3Com and ZyXEL which were all found to be vulnerable.
In ProCheckUp's earlier "ZyXEL Gateways Vulnerability Research" paper, a new technique was introduced: SNMP injection a.k.a. persistent HTML injection via SNMP. Such a technique allowed hackers to cause a persistent HTML injection condition on the web management console of several ZyXEL Prestige router models.
Provided that an attacker has guessed or cracked the write SNMP community string of a device, he/she would be able to inject malicious code into the administrative web interface by changing the values of OIDs (SNMP MIB objects) that are printed on HTML pages.
The purpose behind injecting malicious code into the web console via SNMP is to fully compromise the device once the page containing the payload is viewed by the administrator.
When ProCheckUp came up with the SNMP injection technique, it was suspected that such an attack was possible on a large number of embedded devices in use in the market, as mentioned on some interviews where research was featured. Although the SNMP write community string must be guessed or cracked for this attack to work, it is worth mentioning that some devices come with SNMP read/write access enabled by default using common community strings such as 'public', 'private', 'write' and 'cable-docsis'. Some examples include ZyXEL Prestige router models used in residential and SOHO networks, Innomedia VoIP gateways, some Cisco routers and phone gateways and other corporate products such as the Proxim Tsunami devices.
Also, the use of customized but weak SNMP write community strings, and other weaknesses within the devices SNMP stack implementation should be taken into account when evaluating the feasibility of this attack.
In order to confirm that this attack affects most SNMP-enabled embedded devices regardless of model or vendor, ProCheckUp surveyed random embedded devices that were available in the computer security lab. Overall, we surveyed network devices from the following vendors:
Complete paper can be downloaded from here.
Richard Brain, Technical Director of ProCheckUp described the discovery as "In real terms this could disrupt the day to day running of a company. It allows the configuration of border devises to be modified adversely affecting corporate security.
"It could potentially allow the intercept of company communication having huge implications for confidentiality"
A leading independent specialist security organisation, ProCheckUp was formed in 2000 to provide a unique Artificial Intelligence (AI) based penetration testing service to the corporate market.
Since then the company has enjoyed significant commercial and technological success, and received Royal recognition in April 2004 by winning the prestigious Queen's Award for Enterprise: Innovation, the UK's highest accolade for business performance.
ProCheckUp are service providers to some of the world's leading finance and banking organisations, international law firms and FTSE 100 companies.
ProCheckUp has adopted the methodology of conventional penetration testing and combined it with the functionality of a distributed automated attack system called ProCheckNet.
ProCheckNet automates the complex processes and decision making associated with a manual penetration testing team. It builds customised exploits in an entirely safe manner to achieve a level of testing unrivalled by conventional approaches. Complimented with features such as real time encapsulated exploits, firewall and IDS bypass, ProCheckNet is a revolutionary attack system. Companies that require the highest level of security assurance utilise ProCheckNet to test all their internal and externally facing IT infrastructure including brochure ware, E-commerce websites, RAS, VPN's, Mailservices, DNS and even entirely bespoke applications.
T: 020 7307 5001 E: firstname.lastname@example.org
Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA, PCI ASV
ProCheckUp are extremely flexible in meeting our requirements. The output is professional and of a consistently high standard with clear evidence that the testers are at the top of their game.CPP