what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HP/H3C And Huawei SNMP Weak Access To Critical Data

HP/H3C And Huawei SNMP Weak Access To Critical Data
Posted Oct 23, 2012
Authored by Kurt Grutzmacher

HP/H3C and Huawei networking equipment suffers from a serious weakness in regards to their handling of SNMP requests for protected h3c-user.mib and hh3c-user.mib objects.

tags | advisory
advisories | CVE-2012-3268
SHA-256 | 0c92a17dfa2d3087a38c6352ee5709ac2ed2aa953819313542b7ecc6ef5659a8

HP/H3C And Huawei SNMP Weak Access To Critical Data

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

HP/H3C and Huawei SNMP Weak Access to Critical Data
===================================================

http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html

Overview
- --------

HP/H3C and Huawei networking equipment suffers from a serious weakness
in regards to they're handling of Systems Network Management Protocol
(SNMP) requests for protected h3c-user.mib and hh3c-user.mib objects.


Identifiers
- -----------

US-CERT VU#225404
CVE-2012-3268


Vendor release
- --------------

HP/H3C:
https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685&ac.admitted=1350939600802.876444892.492883150

Huawei: In the works


Researcher
- ----------

Kurt Grutzmacher
grutz <at> jingojango dot net
http://grutztopia.jingojango.net/
twitter: @grutz


Details
- -------

Huawei/H3C have two OIDs, 'old' and 'new':

old: 1.3.6.1.4.1.2011.10
new: 1.3.6.1.4.1.25506

Most devices support both formats.

The MIBs h3c-user.mib and hh3c-user.mib, for the purpose of this
document, will be referred to as (h)h3c-user.mib. This MIB defines the
internal table and objects to "Manage configuration and Monitor running
state for userlog feature."

This means there are some cool objects with data in this MIB penetration
testers or malicious actors would want to get their dirty little hands
on. Most objects are only accessible with the read/write community string.

In the revision history of (h)h3c-user.mib, version 2.0 modified the
MAX-ACCESS from read-only to read-create the following objects within
the (h)h3cUserInfoEntry sequence:

(h)h3cUserName
(h)h3cUserPassword
(h)h3cAuthMode
(h)h3cUserLevel

The purpose of these objects are to provide the locally configured users
to those with a valid SNMP community. After the change only those with
the read-write community string should have access, however this was not
the case and the code still retained the earlier access of read-only.

So if you have the SNMP public community string then you have the
ability to view these entries.


Why this is impactful
- ---------------------

The (h)h3cUserPassword is presented in one of three formats as defined
in the (h)h3cAuthMode object and mirrors how passwords are stored in the
device configuration:

0 -- password simple, meaning cleartext
7 -- password cipher, meaning ciphertext
9 -- password sha-256, meaning one-way sha-256 hash

SHA-256 is a recent addition and is not supported on all devices yet.

On top of this the (h)h3cUserLevel can be 0 to 3 where 0 is limited
access and 3 is full access.


Globbing some users
- -------------------

You must have an SNMP read-only or read-write string and access to the
SNMP port (udp/161) for this to work:

$ snmpwalk ?c public ?v 1 $IP 1.3.6.1.4.1.2011.10.2.12.1.1.1

or

$ snmpwalk ?c public ?v 1 $IP 1.3.6.1.4.1.25506.2.12.1.1.1


Weaponizing
- -----------

Files relevant to this disclosure:

hh3c-localuser-enum.rb - Metasploit auxiliary scanner module
snmp-h3c-login.nse - Nmap Scripting Engine module

These will soon be posted to https://github.com/grutz/h3c-pt-tools and
requested to be added to each tool.


Mitigation
- ----------

By itself this is already bad but most users who do any of the following
may already be protected:

1. Use complex SNMP community strings or disable SNMPv1
2. Have disabled the mib entries for (h)h3c-user
3. Block SNMP using access controls or firewalls
4. Do not define local users, use RADIUS or TACACS+

More specific routines can be found in the vendor's release.


Why this is a bigger problem
- ----------------------------

People make poor choices. They like to think their equipment won't rat
them out so they use cleartext passwords on networking equipment.

The cipher is an interesting one because it's basically an unknown...
What, you think the only thing I had to share at Toorcon was SNMP and
some cleartext credentials?


Timeline
- --------

June-ish 2012: Research begins after seeing something cool on a
penetration test

August 6, 2012: Contacted US-CERT to coordinate vendor disclosure, VU#225404

September 5, 2012: No response from H3C, contacted US-CERT again

September 6, 2012: H3C (through US-CERT) requests more time, I state
intention to present findings at Toorcon (Oct 19/20, 2012) or disclose
if talk not accepted.

September 18, 2012: Approved for Toorcon! Information goes up not long
after on Toorcon website.

September 18-October 16, 2012: Build slides, work on tools, no contact
with US-CERT or vendors.

October 16, 2012: HP contacts me directly asking that I not present this
information at Toorcon

October 18, 2012: Publicly state agreement to cancel the Toorcon talk

October 22, 2012: HP discloses! What what? Why bother putting any
pressure not to give the talk if you're gonna give everything out 2 days
later?

October 23, 2012: So I publish.

- --
- - grutz;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQhtT4AAoJEMtvcfrnZQTfIhgP/3tbca4rV/DlBKfebbMyCLXU
9husdKpKdaYosVTZto09O2vWNXrHikKtQ6rcAFNQX8lQA36vt4XAI4NyyqEtlb24
Tdzxm5OKSPEa84TuzAipFhmzMWgoO6Tk1Jeko15UKFVCXFznDs5GJ2sABNu580/t
ssCd1ciG/1zVHhS6AuWFeIbFY9lKI/9YRVHAvmZNNbpu4aa74cCYwG5VihD3zLrX
qw7jRPcgijeZ7TRa1X42vsJlK3IFvo1yPX6dY7Wcf+YoTRir8jLrxcAjMrxHyiEN
KS8ocq1XDeiGywICFiYGDjlzrnXv0OQqNJn7jqXtu/FMHgU7jboZntIY9sSPdLBS
ehzqiygC7pigbgbTRHrCpICawPMhR25TLKW4WMYv/tugg/Ojpsgf+j/VUV88bOky
Mw9qCn3hzo+PUfo2SwuzxzE+MSQbzP9fjis0vdejqFe9O14Go2YYoU+V/3noFDcr
cDzpcgLWYRy4su/QP6sqtnIEzIjIJTaZnOrg52hxxzL7CLmJDgIPXv/ybf516uWY
nWydA3okhJ331K0UstB2guwrpq9o65GhJeL4I6vbLnOf5n2pSnAGMte4TQg53ZZ5
dAohShMGrE32nNjcVwFaAOp+o0l5wP4B1VrgU2YKINgZN5fcNQmjzMr/0oYbV4y0
Tf1y+JWpOR5jhsxEtBk/
=WGnr
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    16 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close