Re[2]: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection

To: lee.e.rian@xxxxxxxxxx
Subject: Re[2]: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
Date: Fri, 10 Oct 2008 10:28:43 +0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <OFA9F137A5.27FBCB2A-ON852574DD.00759877-852574DD.0075987C@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <48EE00F4.3090906@xxxxxxxxxxxxxx>, <99842756.20081009222045@xxxxxxxxxxxxxxxx> <OFA9F137A5.27FBCB2A-ON852574DD.00759877-852574DD.0075987C@xxxxxxxxxx>
Reply-to: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>

Dear lee.e.rian@xxxxxxxxxx,

Why do you think you can't do it with SNMP? An examples are settings DNS
server   option   via   DHCP  (or  DNS  domain  name  for  proxy  server
autodiscovery  protocol)  or  even  configuring  a  VPN  tunnel  for all
traffic.  I'm  not  sure  about  Tsunami, for Orinoco these settings are
read/write:

http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx

see e.g. oriDHCPServerPrimaryDNSIPAddress

--Friday, October 10, 2008, 1:24:27 AM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:

lercg> -----"Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
wrote: -----

>>What  can  you  achieve  with script injection you can not achieve
>>with SNMP write access?

lercg> I don't know what you can actually achieve, but in addition to
whatever you
lercg> can do to/with the box you have SNMP write access for, it gives
you a shot
lercg> at the admin's machine.  And maybe even a shot at everything
that the
lercg> admin's machine can talk to.

lercg> Regards,
lercg> Lee

>>
>>--Thursday, October 9, 2008, 5:02:44 PM, you wrote to
>>bugtraq@xxxxxxxxxxxxxxxxx:
>>
>>PR> $ snmpset -v1 -c public 192.168.1.100 sysName.0 s
>>'">><script>alert(1)</script>'
>>
>>
>>--
>>~/ZARAZA http://securityvulns.com/

-- 
~/ZARAZA http://securityvulns.com/
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его 
прочитать. (Твен)

References:
- PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
  - From: ProCheckUp Research
- Re: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
  - From: Vladimir '3APA3A' Dubrovin
- Re: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
  - From: lee . e . rian

Prev by Date: [USN-651-1] Ruby vulnerabilities
Next by Date: Re: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
Previous by thread: Re: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
Next by thread: Re: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
Index(es):
- Date
- Thread