We have been researching various aspects of SNMP for over the past 24 months, ranging from SNMP-leveraged data extraction techniques to attacking systems that rely heavily on SNMP data streams. We formed a hypothesis that a malicious actor might be able to deliver persistent XSS via SNMP data fields to a web-based management console, and NMSs appeared to be ideal target candidates for this line of research, given the way they operate.

Download and read the full report to learn about our key findings, including:

  • Network Management Systems (NMSs) are often designed with an implicit trust of managed assets, and this trust can be abused by an attacker.
  • Machine-to-machine communications tend to perform less inspection sanitization than human-to-machine communications.
  • Attackers can passively attack NMSs simply by being present on the managed network.
  • Attackers can actively attack NMSs by specifically targeting SNMP trap alerts to NMSs.
  • While cross-site scripting is the primary focus of the research, exploiting format string vulnerabilities is also possible with these techniques.
  • Readers of the paper will also learn how to assess their own NMSs and other systems that consume SNMP data.

Managed to Mangled: SNMP Exploits for Network Management Systems

This Rapid7 report explores attacking Network Management Systems (NMSs) over the Simple Network Management Protocol (SNMP), a protocol used extensively by NMSs to manage and monitor a wide variety of networked devices. Three distinct attack vectors are explored:

  1. Passively injecting Cross-Site Scripting (XSS) attacks over SNMP agent-provided data, which is passed unprocessed from the SNMP server service and rendered on an NMS web-based administration console.
  2. Actively injecting XSS attacks over SNMP trap alert messages, intended for NMS consoles.
  3. Format string processing on the NMS web management console, when format strings passed unprocessed from SNMP agent-provided data.