Title: Microsoft Windows NT & 2000 SNMP Registry Key Modification

Vulnerability

BID: 2066

Published: December 06, 2000

Vulnerable: Microsoft Windows NT 4.0

Microsoft Windows NT 4.0 Server

Microsoft Windows NT 4.0 Server, Enterprise Edition

Microsoft Windows NT 4.0 Server, Terminal Server Edition

Microsoft Windows NT 2000 Professional

Microsoft Windows NT 2000 Server

Microsoft Windows NT 2000 Advanced Server



Discussion:





The SNMP service in Windows NT 4.0 and 2000 enables the remote management

of the computer. Loose permissions in the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters

allow malicious users with access to the registry to read the SNMP

community names stored in the ValidCommunities key value. This allows the

malicious users to manage the computer via SNMP.



The malicious users could also change the community names by modifying

the registry key thus denying authorized users access to the machine

via SNMP.



Solution:



Microsoft has released a patch which rectifies this issue:





Microsoft Windows NT 4.0 Intel:

  Microsoft patch Q265714i

  http://download.microsoft.com/download/winntsp/Patch/Q266794/NT4/EN-US/Q265714i.EXE



Microsoft Windows NT 2000 Intel:

  Microsoft patch Q266794_W2K_SP2_x86_en

  http://download.microsoft.com/download/win2000platform/Patch/Q266794/NT5/EN-US/Q266794_W2K_SP2_x86_en.EXE



Credit:



Discovered by Chris Anley from @stake (http://www.atstake.com) and posted in a

Microsoft Security Bulletin (MS00-095) and (MS00-096) on Dec 6, 2000.



Reference:



http://www.securityfocus.com/bid/2066

http://www.microsoft.com/technet/security/bulletin/ms00-095.asp

http://www.microsoft.com/technet/security/bulletin/ms00-096.asp

http://www.microsoft.com/technet/security/bulletin/fq00-095.asp

http://www.microsoft.com/technet/security/bulletin/fq00-096.asp



--

Elias Levy

SecurityFocus.com

http://www.securityfocus.com/

Si vis pacem, para bellum