Preface: SNMP sysName overflowLogo -Internet Security Systems

SNMP sysName overflow
advICE :Intrusions : 2002005
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

This is an attempt to break into the SNMP device using a buffer overflow exploit.

Details

SNMP is full of unchecked buffer overflows. Specifically, the Network Associates (NAI) Distributed Sniffer Agent (DSA) has an unchecked buffer in its sysName field. Moreover, it doesn't check the community string for SETs upon this field. There are attacks scripts out there that will compromise such systems.

Action

This is potentially serious. Such agents are rarely managed by the security department and once installed, the software is rarely updated. Therefore, there is a good chance that such attacks can be successful. Though such attacks can easily be spoofed, it is likely that a hacker is only attempting this because they believe you are running such software.

Therefore, if this is the first time you are seeing this alert, then you may want to double check to see if the network staff has any such products installed and if they have patched to the latest version.

 more information
advICE: SNMP  
This is the section for more information on SNMP.  
SNMP MIB2 system group  
 
BugtraqID: 1901   NAI Sniffer Agent SNMP Buffer Overflow Vulnerability
 

 parametric information
opSNMP operation (SET, GET, etc.)
communitySNMP community
valThe value of the field that triggered this alert.

 
Version appeared: 2.5
Privacy Policy |  Copyright Info