Microsoft Windows NT 4.0 SNMP Community Name Vulnerability

Microsoft Windows NT 4.0 SNMP Community Name Vulnerability

Windows NT 4.0 and Windows NT 2000 provides optional SNMP (Simple Network Management Protocol) services. SNMP allows remote retrieval and setting of information related to TCP/IP networking processes. SNMP services provide two levels of access: read-only and read/write. All versions of SNMP provided with Windows NT 4.0 prior to Service Pack 4 only allow read/write access to SNMP functions to authorized administrators - there is no ability to set "read-only". Service Pack 4 introduced the ability to set permissions to either "read-only" or "read/write".

SNMP provides a simple authentication scheme whereby an administrator can gain access to SNMP functions by knowing a "community name". A default installation of SNMP on Windows NT 4.0 allows access to SNMP with the community name "public". This alone presents a security risk, although most administrators using SNMP would likely change the default community name used to access SNMP services. Unfortunately, SNMP Community Names are stored in the registry as plaintext and can be retrieved by anybody who can access it. IP Address restrictions can also be implemented to control access to SNMP functions but IP address restriction information is also stored in the registry in plaintext. Forged UDP packets can be used to circumvent this. Although an attacker using this approach would not be able to read information returned from the SNMP services, this still allows use of the "set" command to alter network critical settings such as the IP routing table and ARP table, set IP Forwarding, IP TTL (time to live), enable/disable interfaces, etc. SNMP Services are not installed by default and must be added by the Windows NT administrator. Windows 2000 also stores SNMP community names and IP restrictions in the registry.