the vulnerability seems to still exist in the 5.4.2.1~dfsg-5 source package.
i sent the attached email to the debian developers [1] nearly 48 hours ago
and it hasn't appeared in the pkg-net-snmp-devel archives, so i'm presuming
it got caught in a spam filter somewhere and instead hoping for better luck
filing it as a comment to bug #516801.
as the attached email states, sid's 5.4.2.1~dfsg-5 appears to be vulnerable
based on its snmplib/snmpUDPDomain.c and lack of applicable patches in
debian/patches.
i don't know what the previous patch looked like, but the attached patch
should apply cleanly as it takes into account debian's/ubuntu's incorrect
"%hd" (vs upstream's "%hu").
if i overlooked something in my analysis (as i did not observe the bug in
the resulting binary as i did with ubuntu's version, but just examined the
source code), then please disregard this email.
thanks for packaging net-snmp (as i run it on my lenny installations
without any problems)!
corey
--
undefi...@pobox.com
[1] pkg-net-snmp-de...@lists.alioth.debian.org
[2] http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/
--- Begin Message ---
SUMMARY
-------
snmpd in lucid (5.4.2.1~dfsg0ubuntu1-0ubuntu2) is vulnerable to
CVE-2008-6123 contrary to what its changelog says.
the attached patch was applied to the aforementioned version, compiled in a
pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base,
libsnmp15, snmp, snmpd) were successfully tested on lucid-i386.
i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be
vulnerable based on its snmplib/snmpUDPDomain.c and the lack of any
applicable patch(es) in debian/patches.
REFERENCES
----------
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17367
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/branches/V5-4-patches/net-snmp/snmplib/snmpUDPDomain.c?r1=17367&r2=17366&pathrev=17367
BACKGROUND
----------
i recently upgraded a netbook from hardy to lucid by installing lucid to a
new hard drive and copying/merging the old configuration. after installing
snmpd and merging/copying the associated configuration files
(/etc/default/snmpd, /etc/snmp/snmpd.conf, /etc/hosts.allow,
& /etc/hosts.deny) it rejected connections from my cacti installation
residing on the network (the only IP allowed to connect to it based on the
tcp-wrapper's ACL). i also noticed that the syslog output was incorrect:
snmpd[$PID]: Connection from UDP: [$LOCAL_IP]->[$REMOTE_IP]:-13093 REFUSED
yes, the remote port is negative due to "%hd" in the packages'
snmplib/snmpUDPDomain.c, but is "%hu" upstream and fixed in the attached
patch.
PROBLEM
-------
snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's
hosts_ctl (see netsnmp_agent_check_packet() in agent/snmp_agent.c) with it's
local IP address as the "client_addr" (instead of the snmp client's remote
IP address) because of incorrect string assembly (see netsnmp_udp_fmtaddr()
in snmplib/snmpUDPDomain.c).
SOLUTION
--------
searching for snmpd bugs related to tcp wrappers, i found debian bug
#516801. i downloaded and browsed the ubuntu source package, reviewed
agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked
to snmplib/snmpUDPDomain.c where the string is constructed that
snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's
CVE-2008-6123 patch for v5.4 is still applicable (though compensating for
"%hd" in debian/ubuntu source).
i added the patch to the package using quilt, rebuilt the package,
installed it, and it works correctly:
snmpd[$PID]: Connection from UDP: [$REMOTE_IP]:53735->[$LOCAL_IP]
thanks for providing the net-snmp packages!
corey
--
undefi...@pobox.com
diff -urNpd net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/changelog net-snmp-5.4.2.1~dfsg0ubuntu1/debian/changelog
--- net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/changelog 2010-05-31 04:34:36.000000000 +0000
+++ net-snmp-5.4.2.1~dfsg0ubuntu1/debian/changelog 2010-05-31 05:15:33.000000000 +0000
@@ -1,3 +1,12 @@
+net-snmp (5.4.2.1~dfsg0ubuntu1-0ubuntu2.10.04.1) lucid-security; urgency=low
+
+ * SECURITY UPDATE: access restriction bypass
+ - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801
+ - http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17367
+ - CVE-2008-6123
+
+ -- Corey Wright <undefi...@pobox.com> Mon, 31 May 2010 00:00:29 -0500
+
net-snmp (5.4.2.1~dfsg0ubuntu1-0ubuntu2) lucid; urgency=low
* Add apport hook (LP: #533603):
diff -urNpd net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/patches/CVE-2008-6123.README net-snmp-5.4.2.1~dfsg0ubuntu1/debian/patches/CVE-2008-6123.README
--- net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/patches/CVE-2008-6123.README 1970-01-01 00:00:00.000000000 +0000
+++ net-snmp-5.4.2.1~dfsg0ubuntu1/debian/patches/CVE-2008-6123.README 2010-05-31 05:22:04.000000000 +0000
@@ -0,0 +1 @@
+Patch from Corey Wright <undefi...@pobox.com> to address CVE-2008-6123 based on upstream patch set <http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17367>, specifically the patch for the 5.4 branch <http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/branches/V5-4-patches/net-snmp/snmplib/snmpUDPDomain.c?r1=17367&r2=17366&pathrev=17367>.
diff -urNpd net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/patches/CVE-2008-6123.patch net-snmp-5.4.2.1~dfsg0ubuntu1/debian/patches/CVE-2008-6123.patch
--- net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/patches/CVE-2008-6123.patch 1970-01-01 00:00:00.000000000 +0000
+++ net-snmp-5.4.2.1~dfsg0ubuntu1/debian/patches/CVE-2008-6123.patch 2010-05-31 04:57:40.000000000 +0000
@@ -0,0 +1,18 @@
+--- a/snmplib/snmpUDPDomain.c
++++ b/snmplib/snmpUDPDomain.c
+@@ -104,12 +104,12 @@
+ char tmp[64];
+ to = (struct sockaddr_in *) &(addr_pair->remote_addr);
+ if (to == NULL) {
+- sprintf(tmp, "UDP: [%s]->unknown",
++ sprintf(tmp, "UDP: unknown->[%s]",
+ inet_ntoa(addr_pair->local_addr));
+ } else {
+- sprintf(tmp, "UDP: [%s]->", inet_ntoa(addr_pair->local_addr));
+- sprintf(tmp + strlen(tmp), "[%s]:%hd",
++ sprintf(tmp, "UDP: [%s]:%hu->",
+ inet_ntoa(to->sin_addr), ntohs(to->sin_port));
++ sprintf(tmp + strlen(tmp), "[%s]", inet_ntoa(addr_pair->local_addr));
+ }
+ return strdup(tmp);
+ }
diff -urNpd net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/patches/series net-snmp-5.4.2.1~dfsg0ubuntu1/debian/patches/series
--- net-snmp-5.4.2.1~dfsg0ubuntu1.orig/debian/patches/series 2010-05-31 04:34:36.000000000 +0000
+++ net-snmp-5.4.2.1~dfsg0ubuntu1/debian/patches/series 2010-05-31 04:46:16.000000000 +0000
@@ -1,3 +1,4 @@
+CVE-2008-6123.patch
02_statistics.patch
03_makefiles.patch
05_searchdirs.patch
--- End Message ---
