J. Davin
14 February 2002
This report describes the application to the MIT SNMP Development Kit of a suite of tests recently published by the PROTOS project of the Secure Programming Group at the University of Oulu in Finland. The university report on the test suites is associated with an advisory from the Computer Emergency Response Team Coordination Center (CERT/CC). Results reported here support the conclusion that the MIT SNMP Development Kit is not vulnerable to the attacks exercised by the PROTOS test suite. Accordingly, although a number of implementations of the SNMP may manifest some of the vulnerabilities tested by the PROTOS suite, the tested vulnerabilities are not intrinsic to the design of the Version 1 protocol.
The MIT SNMP Development Kit (SNMP DK) is a body of software designed to make the fabrication of network management applications as easy as possible; it is not a complete suite of ready-to-use network management tools.
A few, simplistic management tools (e.g., a rudimentary SNMP agent, a rudimentary SNMP trap collector) are provided, and these are not entirely without use. However, their function is more one of illustrating the use of the Development Kit libraries and verifying its behavior: they represent none of the sophistication of the applications that the Development Kit is designed to support.
C Language source code is provided for all components of the Development Kit. The library that realizes the greatest part of the Development Kit functionality depends exclusively on materials supplied in the distribution, and so it will most likely compile in any environment.
The behavior of applications built from the Development Kit is believed in good faith to conform to RFC 1067. Applications built from the Development Kit successfully interoperate with at least two other, independent SNMP implementations.
The most recent release of the MIT SNMP DK is that of January, 1990. It is available at ftp://ftp.lcs.mit.edu/nets/snmpdk.tar.Z
The baseline SNMP DK was ported to a Mandrake Linux 2.4.3 platform. In order to simplify the porting task, only two MIB-I objects ( sysDescr and sysObjectId) were retained; all other MIB objects were eliminated from the agent application. In order to facilitate use of the PROTOS test suite, support for the MIB-II object sysName was added to the agent application.
Porting the SNMP DK to the Linux 2.4.3 platform entailed the following changes to the baseline distribution:
In order to facilitate injection of test cases, two new applications were constructed using services of the SNMP DK library. The testreq command sends a PDU contained in a specified file to a specified SNMP agent and awaits its response. The testtrap command sends a PDU contained in a specified file to a specified SNMP trap collector application and immediately terminates.
Each collection of test materials was unzipped into a Unix directory from which those materials were accessible by the test injection applications and other testing scripts. See the section of the university report entitled Using without Java.
PDU length measurements reported below were made by invoking the following Unix command in the directory containing the test PDUs:
/bin/ls -l | formatlen.awk | lenstat.awk
For test collections involving SNMP requests to the SNMP DK agent, the actual test trials were conducted using a shell script named oulutests.sh. The success of each trial was verified by immediately afterwards applying the nominal test case 00000000 and observing the agent response. Resulting log files were summarized by the script summary.awk.
For test collections involving SNMP trap requests to the SNMP DK trap collector application, the actual test trials were conducted using the oulutraps.sh shell script. The receipt of each trial PDU was verified by observing debugging log messages emitted by that application. Because the trap test injection application does not wait for any response from the trap collection agent, a delay of 1 second is introduced between individual trials in order to minimize the loss of PDUs owing to internal buffer overflows at the receiving system.
In order to count PDUs received by the trap collector agent during its processing of a particular test collection, the following Unix command is applied to the relevant log file emitted by that agent:
grep RECEIVED: logfile | wc
Similarly, in order to count PDUs received, accepted, and formally logged by the trap collector agent during its processing of a particular test collection, the following Unix command is applied to the relevant log file emitted by that agent:
grep Command: logfile | wc
In order to count PDUs directed to the trap collector agent during its processing of a particular test collection, the following Unix command is applied to the log file emitted by the test injection script:
grep testtrap logfile | wc
For tests involving SNMP trap requests to the SNMP DK trap collector application, the success of each trial is verified by continued processing of received PDUs by that application.
The script rxmatch.awk extracts received PDUs from the RECEIVED: lines of a log file emitted by the SNMP DK trap collector application and attempts to identify each such received PDU within the sequence of trials in a test collection. The output of this script is a list of the matched PDUs. The rxmatch.awk script terminates abnormally if it encounters a log record that does not correspond to any PDU in the test collection. The script skip.awk is applied to the output of the rxmatch.awk script in order to identify PDUs in a test collection that were never received by the relevant SNMP DK agent.
Results presented in the subsections below support the conclusion that the MIT SNMP Development Kit is not vulnerable to the attacks exercised by the PROTOS test suite. Results are summarized in Table 1. None of the tests in the PROTOS suite caused the receiving SNMP entity to fail.
The success of the SNMP DK agent and trap collection application in the face of these trials may be partly explained by the fact that they only processes the first 2048 octets of any received UDP datagram. If the embedded ASN.1 parser does not accept a complete SNMP PDU after processing the first 2048 octets of a received UDP datagram, then that datagram is discarded without further processing. For each of the test collections, Table 1 presents the number of test PDUs that exceed 2048 octets in length, and this number represents a significant fraction of "rejections" -- trials that did not result in any response from the agent or trap collection application.
For each of the test collections, more detailed study of individual test cases is required to determine whether or not any of the PDUs that were not accepted by the relevant SNMP application should have been accepted. For example, some of the test PDUs may have been rejected by the relevant SNMP DK application because, by an accident of signed arithmetic, the ASN.1 parser embedded in the SNMP DK consistently rejects individual ASN.1 elements with Definite Length encodings that exceed 32767 octets. However, even if verified, excessively conservative behavior by the tested applications must, in this context, be regarded as inconvenience rather than vulnerability.
| PDU Length | ||||||
|---|---|---|---|---|---|---|
| Test Collection | Trials | Rejections | Minimum | Mean | Maximum | > 2048 |
| c0v-snmpv1-req-app-r1 | 10601 | 3994 | 27 | 4129 | 65021 | 2672 |
| c0v-snmpv1-req-enc-r1 | 18915 | 17203 | 2 | 5297 | 64083 | 3509 |
| c0v-snmpv1-trap-app-r1 | 15323 | 5411 | 44 | 4316 | 65041 | 3297 |
| c0v-snmpv1-trap-enc-r1 | 8777 | 8012 | 2 | 5705 | 64100 | 1738 |
For the c06-snmpv1-req-app-r1 collection of test materials, all 10601 trials were completed without any untoward effect on the SNMP agent under test. Of these, 3994 trials did not result in any response from the agent as a result of the test PDU. For all but 5 trials in the collection, the agent responded correctly to an immediately succeeding application of the nominal test case. In 5 of the 10601 trials, (00002721, 00002732, 00003544, 00003549, and 00003550) no agent response was observed for the immediately following nominal test case, but these failures were attributed to packet loss on the local area network. In order to confirm this packet loss hypothesis, the 5 trials in question were individually repeated with successful results.
For the c06-snmpv1-req-enc-r1 collection of test materials, all 18915 trials were completed without any untoward effect on the SNMP agent under test. Of these, 17203 trials did not result in any response from the agent as a result of the test PDU. For all trials in the collection, the agent responded correctly to an immediately succeeding application of the nominal test case.
For the c06-snmpv1-trap-app-r1 collection of test materials, all 15323 trials were completed without any untoward effect on the SNMP trap collection agent under test. Of the 15323 trial PDUs directed at the SNMP trap collection agent, 15316 were observably delivered to the agent, and 7 were not delivered owing to a limitation in the TCP/IP implementation of the Linux 2.4.3 platform. Of the 15316 PDUs that were delivered, 9912 trials presented PDUs that were accepted, and formally logged by the trap collection application. The remaining 5404 trials presented PDUs that, albeit observably received by the trap collection agent, were not accepted and formally logged by that application. In no case did processing of any received PDU observably disrupt subsequent operation of the trap collection agent.
The 7 test PDUs that were not delivered to the agent (00006411, 00006445, 00010801, 00010835, 00013046, 00015241, and 00015291) are, at 65041 octets in length, the largest PDUs in the test collection. Recognizing that the SNMP DK trap collection agent processes only the first 2048 octets of any received datagram, special trials were contrived for these 7 test PDUs in order to verify that, even if they had been delivered to the agent, no untoward effects would be observed. To this end, the first 64000 octets of each of the 7 PDUs was transmitted to the SNMP DK trap collection agent, and each was rejected during ASN.1 parsing owing to the presence of Definite Length ASN.1 elements longer than 32767 octets.
For the c06-snmpv1-trap-enc-r1 collection of test materials, all 8777 trials were completed without any untoward effect on the SNMP trap collection agent under test. Of these, 765 trials presented PDUs that were received, accepted, and formally logged by the trap collection application. The remaining 8012 trials presented PDUs that, albeit observably received by the trap collection agent, were not accepted and formally logged by that application. In no case did processing of any received PDU observably disrupt subsequent operation of the trap collection agent.