-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi 3APA3A, That's a good question, and here is my answer from the draft version of an upcoming paper I'm working on: " Gaining SNMP write access to a device is already a compromise on its own and usually considered a potential high risk security issue. Therefore, one could argue that there is no point in launching a SNMP injection attack when we can already change system settings via the SNMP write community string. You might be wondering: why bother injecting a HTML/JavaScript payload on the web console through SNMP when I can change system parameters via SNMP alone? In reality however, when a valid SNMP write community is identified, we find that many OIDs cannot be changed due to read-only settings enforced on that particular object. Instead, we are restricted to only being able to change a limited number of OIDs. What OIDs can be modified with a SNMP write community string depends on two factors: - - Specific vendor implementation of SNMP write permissions - - SNMP RFCs By being able to change a limited number of OIDs via a SNMP write community string, the attacker might be able to DoS the device by crippling its configuration settings or even deface some banners. However, a serious attacker is ultimately interested in gaining full access (admin/root) to the target device. Since identifying a valid SNMP write community string might not be enough to accomplish such goal, it makes sense to resort to SNMP injection. " Hope that helps. Regards, ap. Vladimir '3APA3A' Dubrovin wrote: > Dear ProCheckUp Research, > > What can you achieve with script injection you can not achieve with > SNMP write access? > > --Thursday, October 9, 2008, 5:02:44 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: > > PR> $ snmpset -v1 -c public 192.168.1.100 sysName.0 s > '">><script>alert(1)</script>' > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI7xPVoR/Hvsj3i8sRAlIUAJ9ZWNliZ18Akibq0R7XuHSDMiPCsQCdGZi8 Hrr0hjnddyfu+8pUqKeJcXk= =UIm8 -----END PGP SIGNATURE-----
