TUCoPS :: Unix :: General
:: unix5748.htm
15th Oct 2002 [SBWID-5748]
COMMAND
Net-SNMP denial-of-service vulnerability
SYSTEMS AFFECTED
All SNMP daemon based on the Net-SNMP package 5.0.1, 5.0.3 and
5.0.4.pre2
PROBLEM
In iDEFENSE Security Advisory [#20021002] thanks to Andrew Griffiths
[andrewg@d2.net.au] research :
The SNMP daemon included in the Net-SNMP package can be crashed if it
attempts to process a specially crafted packet. Exploitation requires
foreknowledge of a known SNMP community string (either read or
read/write). This issue potentially affects any Net-SNMP installation
in which the "public" read-only community string has not been changed.
ANALYSIS
By sending the SNMP daemon a packet without having first setup a
session, a vulnerability in the following segment of code from
agent/snmp_agent.c, handle_var_requests(), line 1,876, can be
exploited:
for (i = 0; i <= asp->treecache_num; i++) {
reginfo = asp->treecache[i].subtree->reginfo;
status = netsnmp_call_handlers(reginfo, asp->reqinfo,
asp->treecache[i].requests_begin);
Despite the fact that "asp->treecache_num" is NULL, the "<="
comparison in the for() loop allows entry into the block. At this
point, the SNMP daemon attempts to de-reference a NULL pointer leading
to a SIGSEGV. Since the SNMP daemon must parse the attack packet, an
attacker must pass the appropriate ACL (public/read is sufficient).
SOLUTION
Net-SNMP 5.0.5 has been released which fixes the described
vulnerability. It is available at
http://sourceforge.net/project/showfiles.php?group_id=12694