|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Maformed SNMP Packet log/trace
On Tue, Feb 26, 2002 at 06:41:22PM -0500, Sean Donelan wrote: > > On 26 Feb 2002, Eric Brandwine wrote: > > Go to the Oulu University page mentioned in the advisory. > > > > Download the 4 .jar files that comprise the toolkit. > > > > unzip the jar files. There'll be a testcases/ dir in each of them. > > Each file in this directory is one of their packets. > > > > There are 53,000 of them. Have fun! > > And to keep things exciting, programmers rarely make mistakes in > only one protocol. Turing still holds. It wouldn't be surprising > if other packets can do bad things when "this should never happen" > happens. Who is checking NTP, OSPF, ISIS, BGP, SSH, DNS, TELNET, > TACACS+, etc code paths? A lot of those protocols have people looking at them on a regular basis, and they still manage to come up with obscure exploits noone else noticed (ex: 23mb of buffer overflows to exploit telnetd). On the other hand, a lot of those protocols (and more specifically their implementations in routers) have probably never seen the light of day, and are so rotten we are all better off keeping them covered up. I'm certain that more then enough people here can attest to the fact that it doesn't take much in the way of "unexpected packets" before certain vendors BGP implementations start wigging. Of course, it is up to the user to decide if they would rather have a product with 50,000 holes that script kiddies don't know about, or a product with 100 holes that the do. Most days security through obscurity works just fine, but the days that it doesn't really suck. But SNMP is special. It has the distinct honor of being one of those protocols which has daylight all around it and yet somehow manages to stay under a rock. I attribute this to what I like to call the "Upchuck Code Barrier", namely that very few people have the intestinal fortitude to look at the existing implementations without hurling their lunch. This severely limits the number of exploits which are written. :) </rant> -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|