Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix5748.htm

15th Oct 2002 [SBWID-5748]

	Net-SNMP denial-of-service vulnerability


	All  SNMP  daemon  based  on  the  Net-SNMP  package  5.0.1,  5.0.3  and


	In iDEFENSE Security Advisory [#20021002]  thanks  to  Andrew  Griffiths
	[] research :

	The SNMP daemon included in the Net-SNMP package can be  crashed  if  it
	attempts to process a specially crafted  packet.  Exploitation  requires
	foreknowledge  of  a  known  SNMP  community  string  (either  read   or
	read/write). This issue potentially affects  any  Net-SNMP  installation
	in which the "public" read-only community string has not been changed.



	By sending the SNMP  daemon  a  packet  without  having  first  setup  a
	session,  a  vulnerability  in  the  following  segment  of  code   from
	agent/snmp_agent.c,   handle_var_requests(),   line   1,876,   can    be

	    for (i = 0; i <= asp->treecache_num; i++) {

	        reginfo = asp->treecache[i].subtree->reginfo;

	        status = netsnmp_call_handlers(reginfo, asp->reqinfo,



	Despite  the  fact  that  "asp->treecache_num"  is  NULL,  the   "<="
	comparison in the for() loop  allows  entry  into  the  block.  At  this
	point, the SNMP daemon attempts to de-reference a NULL  pointer  leading
	to a SIGSEGV. Since the SNMP daemon must parse  the  attack  packet,  an
	attacker must pass the appropriate ACL (public/read is sufficient).


	Net-SNMP  5.0.5  has   been   released   which   fixes   the   described
	vulnerability. It is available at


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH