‘Achieving Persistent HTML Injection via SNMP on Embedded Devices’

Summary

A new approach to introducing HTML and/or JavaScript vulnerabilities into devices has been found, this new approach utilizes SNMP write capabilities to inject the malicious content into the device, which the device displays whenever someone access the device.’

Credit:

‘The information has been provided by ProCheckUp Research.
The original article can be found at: http://www.procheckup.com/PDFs/SNMP_injection.pdf


Details

Introduction:
In our earlier ‘ZyXEL Gateways Vulnerability Research’ paper[1], we introduced a new technique: SNMP injection a.k.a. persistent HTML injection via SNMP. Such a technique allowed us to cause a persistent HTML injection condition on the web management console of several ZyXEL Prestige router models.

Provided that an attacker has guessed or cracked the write SNMP community string of a device, he/she would be able to inject malicious code into the administrative web interface by changing the values of OIDs (SNMP MIB objects) that are printed on HTML pages.

The purpose behind injecting malicious code into the web console via SNMP is to fully compromise the device once the page containing the payload is viewed by the administrator.

When we came up with the SNMP injection technique, we suspected that such an attack is possible on a large number of embedded devices in use in the market, as mentioned on some interviews where our research was featured[2]. Although the SNMP write community string must be guessed or cracked for this attack to work, it is worth mentioning that some devices come with SNMP read/write access enabled by default using common community strings[3] such as ‘public’, ‘private’, ‘write’ and ‘cable-docsis’. Some examples include ZyXEL Prestige router models used in residential and SOHO networks, Innomedia VoIP gateways[4], some Cisco routers and phone gateways[5] and other corporate products such as the Proxim Tsunami devices.

Also, the use of customized but weak SNMP write community strings, and other weaknesses within the devices SNMP stack implementation should be taken into account when evaluating the feasibility of this attack.

In order to confirm that this attack affects most SNMP-enabled embedded devices regardless of model or vendor, we surveyed random embedded devices that were available in our computer security lab. Overall, we surveyed network devices from the following vendors:
– Cisco
– Proxim
– 3Com
– ZyXEL

References:
[1] ‘ZyXEL Gateways Vulnerability Research’ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf

[2] ‘SNMP Joins Dark Side in New XSS Attack’ http://www.darkreading.com/document.asp?doc_id=147014

[3] ‘Multiple Vendor SNMP World Writeable Community Vulnerability’

[4] ‘Digging into SNMP in 2007 An Exercise on Breaking Networks’ http://www.ernw.de/content/e7/e181/e671/download690/ERNW_026_SNMP_HitB_Dubai_2007_ger.pdf

[5] ‘Cisco Security Advisory: DOCSIS Read-Write Community String Enabled in Non-DOCSIS Platforms”

Categories: Reviews