Microsoft Windows 2000 SNMP Memory Utilization DoS
22 Oct. 2002
If the SNMP service is running on a Windows 2000 server, and the 'Print Spooler' service is not running, repeatedly using SNMP queries to obtain print queue related values in the LANMAN MIB will cause the SNMP service to consume very large amounts of memory. It is necessary to have a valid 'read' string in order to carry out the attack. The default read string is 'public'.
Approximately 30MB of memory is allocated per SNMP request received.
The information has been provided by Chris Anley of Next Generation Security Software.
* Windows 2000 Server SP2 (lmmib2.dll, file version 5.00.2134.1)
* Windows 2000 Server SP3
An attacker can cause the SNMP service to consume all available memory on the server, causing the server to stop responding until rebooted. Under certain circumstances it may be necessary to power down the server rather than executing a 'graceful' shutdown.
The LAN Manager (LANMAN) MIB is installed automatically with the Windows 2000 SNMP Agent. The LANMAN MIB is implemented by lmmib2.dll.
If the SNMP Agent service (SNMP.exe) is running and the "print spooler" service (spoolsv.exe) has not been started since the SNMP Service was started, a 'GET' or 'GETNEXT' request to the SNMP Agent will cause the LANMAN SNMP Extension to leak a very large amount of memory (in tests approximately 30MB per request).
A valid 'read' string is necessary to perform the attack; in a typical network attack this could be obtained by sniffing a network, by examining the configuration of a compromised host such as a workstation, or by guesswork; typically SNMP community strings are not changed frequently.
The attack can be performed using an SNMP manager utility such as the SNMPUtil tool provided in the Windows 2000 resource kit. Example command lines follow:
(using the NGS Software SNMP utility, 'snmplib')
snmplib get <hostname> 161 public 22.214.171.124.126.96.36.199.2.28.0
(using the SNMPUtil tool)
snmputil getnext localhost public .188.8.131.52.184.108.40.206.2.28.0
The effect of the attack can be observed using the Windows 2000 task manager application; add the 'VM Size' column to the 'Processes' window using the 'View/select columns' menu option.
When the attack is repeated several times performance of the server will begin to severely degrade, resulting in the inability to start new processes or allocate memory. Different programs will fail in different ways, however an especially unfortunate failure mode is encountered if a user attempts to log on and mistypes the password; a failure to allocate memory in the WinLogon process causes the logon GUI to freeze.
- Apply the vendor patch (This bug is fixed in Windows 2000 SP3).
- Ensure that only specified management stations are permitted to issue SNMP requests. This can be achieved in Windows 2000 using the 'services' management console plug-in. The SNMP service has a number of configuration pages, one of which is 'security'. This page can be used to specify the hosts (by IP address) from which to accept SNMP packets. This is only a mitigation however, since SNMP is a UDP based protocol and the source address of a request can be easily spoofed.
-If possible, implement an IPSec tunnel between management stations and managed Windows 2000 servers.