The SNMP service, which implements the Simple Network Management Protocol under Windows NT, was found to be configured badly by default, allowing the remote modification of sensitive keys by unauthorized people.
The default configuration of the SNMP service is insecure, this is because the SNMP service is configured to answer to the community named: 'public' with read-write permissions. This is a grave problem, because the community settings acts as a "username" and "password" when accessing the SNMP service, and the community name 'public' is a well known default.
Even though, Service Pack 4 for Windows NT, adds the option to restrict the IPs that are able to "talk" to the SNMP service, the SNMP service uses UDP packets to exchange commands and replies, making it a very easy target for packet spoofing (This is because UDP transmissions are connectionless communication, which does not provide any means to validate the authenticity of packets).
This vulnerability could reveal the following things:
1) The LAN Manager domain name
2) A list of users.
3) A list of shares
4) A list of running services
5) A list of active TCP connections
6) A list of active UDP connections
7) A list of network interfaces and their associated IP and hardware addresses
8) The IP routing table and the ARP table as well as a number of networking performance statistics.
Because the default settings make these variables read-write, a malicious user can modify the IP routing table, bring down interfaces and enable IP forwarding, which is especially dangerous when the Windows NT server acts as a Firewall.
