/* SNMP protocol handler This module does two primary things: #1 track sequence number Like TCP, we can use seqno-cookies to match requrests with replies. All SNMP packets have a "request-id" field to match requests with replies, so we can fill this in with our cookies This requires any SNMP template to reserve 4 bytes for this field. #2 parse the response This code will report any OIDs in the response along with their values. However, you should probably hard-code a "MIB" so that we can translate OIDs into shorter names as well as format their values correctly. You can look at sysName and sysDescr for an example of how this works. NOTES for IDS LULZ: The default template packet is designed to evade IDS that looks for OIDS, but inserting "nul" bytes into the OID. This is the difference between "pattern-matching" IDS and "protocol-analysis" IDS: those using protocol-analysis decodes the entire protocol, whereas pattern-matchers don't. How protocol-analysis works is demonstrated in this module, as it has to analyze the SNMP protocol itself in order to decode responses. It can handle responses that that have the deliberate "nul" insertion technique, as shown in the self-test. One of the useful tricks is to exploit DFA pattern matches. In this case, the DFA pattern-matcher that ultimately matches on the OIDs has been tweaked to handle the nuls as part of the pattern-matching process. */ #include "proto-snmp.h" #include #include #include "smack.h" #include "util-safefunc.h" #include "output.h" #include "masscan-app.h" #include "proto-preprocess.h" #include "proto-banner1.h" #include "syn-cookie.h" #include "massip-port.h" static struct SMACK *global_mib; /**************************************************************************** * We parse an SNMP packet into this structure ****************************************************************************/ struct SNMP { uint64_t version; uint64_t pdu_tag; const unsigned char *community; uint64_t community_length; uint64_t request_id; uint64_t error_index; uint64_t error_status; }; /**************************************************************************** * This is the "compiled MIB" essentially. At program startup, we compile * this into an OID tree. We use this to replace OIDs with names. ****************************************************************************/ static struct SnmpOid { const char *oid; const char *name; } mib[] = { {"43.1006.51.341332", "selftest"}, /* for regression test */ {"43", "iso.org"}, {"43.6", "dod"}, {"43.6.1", "inet"}, {"", "mgmt"}, {"", "mib2"}, {"", "sys"}, {"", "sysDescr"}, {"", "sysObjectID"}, {"", "sysUpTime"}, {"", "sysContact"}, {"", "sysName"}, {"", "sysLocation"}, {"", "sysServices"}, {"", "priv"}, {"", "enterprise"}, {"", "okidata"}, {0,0}, }; /**************************************************************************** * An ASN.1 length field has two formats. * - if the high-order bit of the length byte is clear, then it * encodes a length between 0 and 127. * - if the high-order bit is set, then the length byte is a * length-of-length, where the low order bits dictate the number of * remaining bytes to be used in the length. ****************************************************************************/ static uint64_t asn1_length(const unsigned char *px, uint64_t length, uint64_t *r_offset) { uint64_t result; /* check for errors */ if ( (*r_offset >= length) || ((px[*r_offset] & 0x80) && ((*r_offset) + (px[*r_offset]&0x7F) >= length))) { *r_offset = length; return 0xFFFFffff; } /* grab the byte's value */ result = px[(*r_offset)++]; if (result & 0x80) { unsigned length_of_length = result & 0x7F; if (length_of_length == 0) { *r_offset = length; return 0xFFFFffff; } result = 0; while (length_of_length) { result = result * 256 + px[(*r_offset)++]; if (result > 0x10000) { *r_offset = length; return 0xFFFFffff; } length_of_length--; } } return result; } /**************************************************************************** * Extract an integer. Note ****************************************************************************/ static uint64_t asn1_integer(const unsigned char *px, uint64_t length, uint64_t *r_offset) { uint64_t int_length; uint64_t result; if (px[(*r_offset)++] != 0x02) { *r_offset = length; return 0xFFFFffff; } int_length = asn1_length(px, length, r_offset); if (int_length == 0xFFFFffff) { *r_offset = length; return 0xFFFFffff; } if (*r_offset + int_length > length) { *r_offset = length; return 0xFFFFffff; } if (int_length > 20) { *r_offset = length; return 0xFFFFffff; } result = 0; while (int_length--) result = result * 256 + px[(*r_offset)++]; return result; } /**************************************************************************** ****************************************************************************/ static unsigned asn1_tag(const unsigned char *px, uint64_t length, uint64_t *r_offset) { if (*r_offset >= length) return 0; return px[(*r_offset)++]; } /**************************************************************************** ****************************************************************************/ static uint64_t next_id(const unsigned char *oid, unsigned *offset, uint64_t oid_length) { uint64_t result = 0; while (*offset < oid_length && (oid[*offset] & 0x80)) { result <<= 7; result |= oid[(*offset)++]&0x7F; } if (*offset < oid_length) { result <<= 7; result |= oid[(*offset)++]&0x7F; } return result; } /**************************************************************************** ****************************************************************************/ static void snmp_banner_oid(const unsigned char *oid, size_t oid_length, struct BannerOutput *banout) { unsigned i; size_t id; unsigned offset; unsigned state; size_t found_id = SMACK_NOT_FOUND; size_t found_offset = 0; /* * Find the var name */ state = 0; for (offset=0; offset= oid_length) break; snprintf(foo, sizeof(foo), ".%" PRIu64 "", x); banout_append(banout, PROTO_SNMP, foo, strlen(foo)); } } /**************************************************************************** ****************************************************************************/ static void snmp_banner(const unsigned char *oid, size_t oid_length, uint64_t var_tag, const unsigned char *var, size_t var_length, struct BannerOutput *banout) { size_t i; banout_newline(banout, PROTO_SNMP); /* print the OID */ snmp_banner_oid(oid, oid_length, banout); banout_append_char(banout, PROTO_SNMP, ':'); switch (var_tag) { case 2: { char foo[32]; uint64_t result = 0; for (i=0; i outer_length + offset) length = outer_length + offset; /* Version */ snmp->version = asn1_integer(px, length, &offset); if (snmp->version != 0) return; /* Community */ if (asn1_tag(px, length, &offset) != 0x04) return; snmp->community_length = asn1_length(px, length, &offset); snmp->community = px+offset; offset += snmp->community_length; /* PDU */ snmp->pdu_tag = asn1_tag(px, length, &offset); if (snmp->pdu_tag < 0xA0 || 0xA5 < snmp->pdu_tag) return; outer_length = asn1_length(px, length, &offset); if (length > outer_length + offset) length = outer_length + offset; /* Request ID */ snmp->request_id = asn1_integer(px, length, &offset); *request_id = (unsigned)snmp->request_id; snmp->error_status = asn1_integer(px, length, &offset); snmp->error_index = asn1_integer(px, length, &offset); /* Varbind List */ if (asn1_tag(px, length, &offset) != 0x30) return; outer_length = asn1_length(px, length, &offset); if (length > outer_length + offset) length = outer_length + offset; /* Var-bind list */ while (offset < length) { uint64_t varbind_length; uint64_t varbind_end; if (px[offset++] != 0x30) { break; } varbind_length = asn1_length(px, length, &offset); if (varbind_length == 0xFFFFffff) break; varbind_end = offset + varbind_length; if (varbind_end > length) { return; } /* OID */ if (asn1_tag(px,length,&offset) != 6) return; else { uint64_t oid_length = asn1_length(px, length, &offset); const unsigned char *oid = px+offset; uint64_t var_tag; uint64_t var_length; const unsigned char *var; offset += oid_length; if (offset > length) return; var_tag = asn1_tag(px,length,&offset); var_length = asn1_length(px, length, &offset); var = px+offset; offset += var_length; if (offset > length) return; if (var_tag == 5) continue; /* null */ snmp_banner(oid, (size_t)oid_length, var_tag, var, (size_t)var_length, banout); } } } /**************************************************************************** ****************************************************************************/ unsigned snmp_set_cookie(unsigned char *px, size_t length, uint64_t seqno) { uint64_t offset=0; uint64_t outer_length; uint64_t version; uint64_t tag; uint64_t len; /* tag */ if (asn1_tag(px, length, &offset) != 0x30) return 0; /* length */ outer_length = asn1_length(px, length, &offset); if (length > outer_length + offset) length = (size_t)(outer_length + offset); /* Version */ version = asn1_integer(px, length, &offset); if (version != 0) return 0; /* Community */ if (asn1_tag(px, length, &offset) != 0x04) return 0; offset += asn1_length(px, length, &offset); /* PDU */ tag = asn1_tag(px, length, &offset); if (tag < 0xA0 || 0xA5 < tag) return 0; outer_length = asn1_length(px, length, &offset); if (length > outer_length + offset) length = (size_t)(outer_length + offset); /* Request ID */ asn1_tag(px, length, &offset); len = asn1_length(px, length, &offset); switch (len) { case 0: return 0; case 1: px[offset+0] = (unsigned char)(seqno>>0)&0x7F; return seqno & 0x7F; case 2: px[offset+0] = (unsigned char)(seqno>>8)&0x7F; px[offset+1] = (unsigned char)(seqno>>0); return seqno & 0x7fff; case 3: px[offset+0] = (unsigned char)(seqno>>16)&0x7F; px[offset+1] = (unsigned char)(seqno>>8); px[offset+2] = (unsigned char)(seqno>>0); return seqno & 0x7fffFF; case 4: px[offset+0] = (unsigned char)(seqno>>24)&0x7F; px[offset+1] = (unsigned char)(seqno>>16); px[offset+2] = (unsigned char)(seqno>>8); px[offset+3] = (unsigned char)(seqno>>0); return seqno & 0x7fffFFFF; case 5: px[offset+0] = 0; px[offset+1] = (unsigned char)(seqno>>24); px[offset+2] = (unsigned char)(seqno>>16); px[offset+3] = (unsigned char)(seqno>>8); px[offset+4] = (unsigned char)(seqno>>0); return seqno & 0xffffFFFF; } return 0; } #define TWO_BYTE ((unsigned long long)(~0)<<7) #define THREE_BYTE ((unsigned long long)(~0)<<14) #define FOUR_BYTE ((unsigned long long)(~0)<<21) #define FIVE_BYTE ((unsigned long long)(~0)<<28) /**************************************************************************** ****************************************************************************/ static unsigned id_prefix_count(unsigned id) { if (id & FIVE_BYTE) return 4; if (id & FOUR_BYTE) return 3; if (id & THREE_BYTE) return 2; if (id & TWO_BYTE) return 1; return 0; } /**************************************************************************** * Convert text OID to binary ****************************************************************************/ static unsigned convert_oid(unsigned char *dst, size_t sizeof_dst, const char *src) { size_t offset = 0; while (*src) { const char *next_src; unsigned id; unsigned count; unsigned i; while (*src == '.') src++; id = (unsigned)strtoul(src, (char**)&next_src, 0); if (src == next_src) break; else src = next_src; count = id_prefix_count(id); for (i=count; i>0; i--) { if (offset < sizeof_dst) dst[offset++] = ((id>>(7*i)) & 0x7F) | 0x80; } if (offset < sizeof_dst) dst[offset++] = (id & 0x7F); } return (unsigned)offset; } /**************************************************************************** * Handles an SNMP response. ****************************************************************************/ unsigned handle_snmp(struct Output *out, time_t timestamp, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed, uint64_t entropy ) { ipaddress ip_them = parsed->src_ip; ipaddress ip_me = parsed->dst_ip; unsigned port_them = parsed->port_src; unsigned port_me = parsed->port_dst; unsigned seqno; unsigned request_id = 0; struct BannerOutput banout[1]; UNUSEDPARM(length); /* Initialize the "banner output" module that we'll use to print * pretty text in place of the raw packet */ banout_init(banout); /* Parse the SNMP packet */ snmp_parse( px + parsed->app_offset, /* incoming SNMP response */ parsed->app_length, /* length of SNMP response */ banout, /* banner printing */ &request_id); /* syn-cookie info */ /* Validate the "syn-cookie" style information. In the case of SNMP, * this will be held in the "request-id" field. If the cookie isn't * a good one, then we'll ignore the response */ seqno = (unsigned)syn_cookie(ip_them, port_them | Templ_UDP, ip_me, port_me, entropy); if ((seqno&0x7FFFffff) != request_id) return 1; /* Print the banner information, or save to a file, depending */ output_report_banner( out, timestamp, ip_them, 17, parsed->port_src, PROTO_SNMP, parsed->ip_ttl, banout_string(banout, PROTO_SNMP), banout_string_length(banout, PROTO_SNMP)); /* Free memory for the banner, if there was any allocated */ banout_release(banout); return 0; } /**************************************************************************** * We need to initialize the OID/MIB parser * This should be called on program startup. * This is so that we can show short names, like "sysName", rather than * the entire OID. ****************************************************************************/ void snmp_init(void) { unsigned i; /* We use an Aho-Corasick pattern matcher for this. Not necessarily * the most efficient, but also not bad */ global_mib = smack_create("snmp-mib", 0); /* We just go through the table of OIDs and add them all one by * one */ for (i=0; mib[i].name; i++) { unsigned char pattern[256]; unsigned len; len = convert_oid(pattern, sizeof(pattern), mib[i].oid); smack_add_pattern( global_mib, pattern, len, i, SMACK_ANCHOR_BEGIN | SMACK_SNMP_HACK ); } /* Now that we've added all the OIDs, we need to compile this into * an efficient data structure. Later, when we get packets, we'll * use this for searching */ smack_compile(global_mib); } /**************************************************************************** ****************************************************************************/ static int snmp_selftest_banner() { static const unsigned char snmp_response[] = { 0x30, 0x39, 0x02, 0x01, 0x00, 0x04, 0x06, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 0xA2, 0x2C, 0x02, 0x01, 0x26, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x21, 0x30, 0x1F, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x80, 0x02, 0x01, 0x01, 0x02, 0x00, 0x06, 0x12, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x8F, 0x51, 0x01, 0x01, 0x01, 0x82, 0x29, 0x5D, 0x01, 0x1B, 0x02, 0x02, 0x01, }; unsigned request_id = 0; struct BannerOutput banout[1]; banout_init(banout); /* parse a test packet */ snmp_parse( snmp_response, sizeof(snmp_response), banout, &request_id ); if (request_id != 0x26) return 1; { const unsigned char *str = banout_string(banout, PROTO_SNMP); size_t str_length = banout_string_length(banout, PROTO_SNMP); if (memcmp(str, "sysObjectID:okidata.", str_length) != 0) return 1; } banout_release(banout); return 0; } /**************************************************************************** ****************************************************************************/ int snmp_selftest(void) { static const unsigned char xx[] = { 43, 0x80|7, 110, 51, 0x80|20, 0x80|106, 84, }; size_t i; unsigned state; unsigned offset; size_t found_id = SMACK_NOT_FOUND; if (snmp_selftest_banner()) return 1; /* * test of searching OIDs */ state = 0; offset = 0; while (offset < sizeof(xx)) { i = smack_search_next( global_mib, &state, xx, &offset, (unsigned)sizeof(xx) ); if (i != SMACK_NOT_FOUND) found_id = i; } if (found_id == SMACK_NOT_FOUND) { fprintf(stderr, "snmp: oid parser failed\n"); return 1; } if (strcmp(mib[found_id].name, "selftest") != 0) { fprintf(stderr, "snmp: oid parser failed\n"); return 1; } return 0; }