NT with SNMP

Windows NT with SNMP

Reported October 8, 1997 by Christopher J Rouland

Systems Affected

Windows NT with SNMP Agent Running

The Problem

Christopher writes:

I have found two significant features in the SNMP agent implementations under NT 4.0 Server, and I am sure there are more if I feel like really digging.  The first issue I sent in earlier this year to Microsoft and received no response other than expected behavior and the second I just found and puts any large NT shop at a serious denial of service (DOS) risk.

1. This first exploit demonstrates the ability via SNMP to dump a list of all usernames in an NT domain (assuming the target box is a DC) or on an NT Server.

Here is the simplest NT example I could find to use this:

C:\NTRESKIT>snmputil walk public .

should be a domain controller or server

2.The second exploit demonstrates the ability via SNMP to delete all of the records in a WINS database remotely, bypassing all NT security.  If you understand large scale WINS architecture, you can understand the implications of this.  Knowledge of SNMP community strings would allow an attacker to effectively shut down any large NT infrastructure with N commands (N=number of WINS servers).  This is permitted due to the extensive cmd set implemented in the WINS extension agent, specifically:

cmdDeleteWins OBJECT-TYPE
              SYNTAX  IpAddress
              ACCESS  read-write
              STATUS  mandatory
                        This variable when set will cause all information
                         pertaining to a WINS (data records, context
                         information to be deleted from the local WINS.
                         Use this only when owner-address mapping table
                         getting to near capacity. NOTE: deletion of all

                         information pertaining to the managed WINS is
              ::= \{ cmd 3 \}

Since the SNMP toolset implemented under NT will not do snmp-set-requests, my sample exploit was done using the CMU SNMP development kit under Unix.  The command rnjdev02:~/cmu$ snmpset -v 1 public . a successfully entirely deleted my WINS database.

3.  It appears that there are several other pieces of the LMMIB2 definition that allow for things such as remote session deletion or disconnect, etc, but I have not yet looked into them.

Stopping the Problem:

The simplest fix is to disable SNMP, or to remove the extension agents through the SNMP configuration in the registry.

If you MUST use SNMP, then at least block inbound access to that port. Be aware that using NT"s various SNMP agents, a malicious intruder could gain knowledge about your entire network. In fact, they could quite easily gain everything they need to enter your network, except a password -- and those come in due time. BEWARE.

Microsoft"s Response:

The folks in Redmond initially said this was expected behavior.

To learn more about new NT security concerns, subscribe to NTSD.

Reported by Christopher J Rouland
Posted here at NTSecurity.Net October 12, 1997

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.