<<< Date Index >>>     <<< Thread Index >>>

Re: Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability



> III. Detection
>
> This problem has been detected and tested on latest versions:
> snmptrapd from cmu-snmp-linux-3.7 package
> snmptrapd from cmu-snmp-linux-3.6 package

This seems to be the following code:

int snmp_input(op, session, reqid, pdu, magic)
    int op;
    struct snmp_session *session;
    int reqid;
    struct snmp_pdu *pdu;
    void *magic;
{
    struct variable_list *vars;
    char buf[64], sbuf [10240];

    if (op == RECEIVED_MESSAGE && pdu->command == TRP_REQ_MSG){
        if (Print){
[...]
        } else {
[...]
          sprintf (sbuf, "%s: %s Trap (%d) Uptime: %s", 
                   inet_ntoa(pdu->agent_addr.sin_addr),
                   trap_description(pdu->trap_type), pdu->specific_type,
                   uptime_string(pdu->time, buf));
[...]
          for (vars = pdu->variables; vars; vars = vars->next_variable) {
            /* XXX: check buffer space avail */
            strcat (sbuf, " ");
            sprint_variable (sbuf + strlen (sbuf),
                             vars->name, vars->name_length, vars);
          }
          syslog(LOG_WARNING, sbuf);
        }
[...]
}

Apparently, this code has not made its way into the UCD-SNMP and
NET-SNMP source (or the official CMU-SNMP sources).  This means that
the number of affected systems should be minimal.