Vulnerabilities > CVE-2007-3098 - Remote Denial of Service vulnerability in SNMPC Username/Password

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
castle-rock-computing
nessus
exploit available

Summary

The SNMPc Server (crserv.exe) process in Castle Rock Computing SNMPc before 7.0.19 allows remote attackers to cause a denial of service (crash) via a crafted packet to port 165/TCP.

Vulnerable Configurations

Part Description Count
Application
Castle_Rock_Computing
1

Exploit-Db

descriptionSNMPc <= 7.0.18 Remote Denial of Service Exploit (meta). CVE-2007-3098. Dos exploit for windows platform
fileexploits/windows/dos/4033.rb
idEDB-ID:4033
last seen2016-01-31
modified2007-06-04
platformwindows
port
published2007-06-04
reporterEn Douli
sourcehttps://www.exploit-db.com/download/4033/
titleSNMPc <= 7.0.18 - Remote Denial of Service Exploit meta
typedos

Nessus

NASL familyWindows
NASL idSNMPC_CRSERV_LOGIN_DOS.NASL
descriptionThe remote host is running SNMPc, a network management application for Windows. The version of SNMPc installed on the remote host reportedly will crash if a specially crafted logon packet is sent to its Management Server. An unauthenticated, remote attacker may be able to exploit this issue to crash the service and deny access to legitimate users.
last seen2020-06-01
modified2020-06-02
plugin id25424
published2007-06-05
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25424
titleSNMPc Management Server Login Packet Remote DoS
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(25424);
  script_version("1.18");
 script_cvs_date("Date: 2018/07/30 15:31:32");

  script_cve_id("CVE-2007-3098");
  script_bugtraq_id(24292);
  script_xref(name:"EDB-ID", value:"4033");

  script_name(english:"SNMPc Management Server Login Packet Remote DoS");
  script_summary(english:"Checks version of SNMPc's crserv.exe");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is susceptible to
a denial of service attack.");
 script_set_attribute(attribute:"description", value:
"The remote host is running SNMPc, a network management application for
Windows.

The version of SNMPc installed on the remote host reportedly will
crash if a specially crafted logon packet is sent to its Management
Server. An unauthenticated, remote attacker may be able to exploit
this issue to crash the service and deny access to legitimate users.");
 script_set_attribute(attribute:"solution", value:
"Upgrade to SNMPc Management Server version 7.0.19 or later as that is
supposed to address the issue.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/04");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/05");

script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("audit.inc");


# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name    =  kb_smb_name();
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Get some info about the install.
path = NULL;

key = "SOFTWARE\Castle Rock Computing\SNMPc Network Manager";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  value = RegQueryValue(handle:key_h, item:"Dir");
  if (!isnull(value)) path = value[1];

  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);


# If it is...
if (path)
{
  # Make sure the executable exists.
  share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
  exe =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\crserv.exe", string:path);
  NetUseDel(close:FALSE);

  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1)
  {
    NetUseDel();
    exit(0);
  }

  fh = CreateFile(
    file:exe,
    desired_access:GENERIC_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  );
  if (!isnull(fh))
  {
    ver = GetFileVersion(handle:fh);
    CloseFile(handle:fh);
  }

  # There's a problem if the version is < 7.0.19.0.
  if (!isnull(ver))
  {
    fix = split("7.0.19.0", sep:'.', keep:FALSE);
    for (i=0; i<4; i++)
      fix[i] = int(fix[i]);

    for (i=0; i<max_index(ver); i++)
      if ((ver[i] < fix[i]))
      {
        # nb: only the first 3 parts seem to be reported to end-users.
        version = string(ver[0], ".", ver[1], ".", ver[2]);

        report = string(
          "SNMPc's Management Server version ", version, " is installed under :\n",
          "\n",
          "  ", path, "\n"
        );
        security_warning(port:port, extra:report);

        break;
      }
      else if (ver[i] > fix[i])
        break;
  }
}


# Clean up.
NetUseDel();