[Sorry for the long message, but lots of debug stuff is included.] I have tried with all SNMP plugins these scripts enabled:
10265 snmp_detect.nasl
10800 snmp_sysDesc.nasl
10546 snmp_lanman_users.nasl
10969 snmp_cisco_type.nasl
10551 snmp_ifaces.nasl
10547 snmp_lanman_services.nasl
10550 snmp_processes.nasl
11317 snmp_hpJetDirectEWS.nasl
10548 snmp_lanman_shares.nasl
10688 snmp_vacm.nasl
11490 snmp_dlink_user_pass_disclosure.nasl
10233 rpc_snmp.nasl
10659 snmpXdmid.nasl
This does not cause any problem at all.
It fails when the only plugin enabled is radmin_detect.nasl. Here is the
log from nessus.messages:
[Mon Sep 22 14:52:34 2003][20978] user user : session will be saved
as /usr/local/var/nessus/users/user/sessions/20030922-145234-index
[Mon Sep 22 14:52:35 2003][20978] user user starts a new attack.
Target(s) : hostname.domain.com, with max_hosts = 16 and max_checks = 1
[Mon Sep 22 14:52:35 2003][20978] user user : testing
hostname.domain.com (10.0.0.1) [21987]
[Mon Sep 22 14:52:35 2003][21987] user user : new KB will be saved
as /bmc/local/apps/nessus/var/nessus/users/user/kbs/hostname.domain.com
[Mon Sep 22 14:52:35 2003][21987] user user : launching
ping_host.nasl against hostname.domain.com [21988]
[Mon Sep 22 14:52:35 2003][21987] ping_host.nasl (process 21988)
finished its job in 0.018 seconds
[Mon Sep 22 14:52:35 2003][21987] user user : launching
nmap_tcp_connect.nes against hostname.domain.com [21989]
[Mon Sep 22 14:52:46 2003][21987] nmap_tcp_connect.nes (process
21989) finished its job in 10.161 seconds
[Mon Sep 22 14:52:46 2003][21987] user user : launching
find_service.nes against hostname.domain.com [22000]
[Mon Sep 22 14:54:31 2003][21987] find_service.nes (process 22000)
finished its job in 105.059 seconds
[Mon Sep 22 14:54:31 2003][21987] user user : launching
radmin_detect.nasl against hostname.domain.com [22071]
[Mon Sep 22 14:56:08 2003][21987] radmin_detect.nasl (process 22071)
finished its job in 97.605 seconds
[Mon Sep 22 14:56:08 2003][21987] Finished testing
hostname.domain.com. Time : 213.36 secs
[Mon Sep 22 14:56:09 2003][20978] user user : test complete
snmpdm goes 100% about 14:54:35.
Yes, according to lsof, snmpdm has these ports open:
snmpdm 1550 root 3u inet 0x4ebc3668 0t0
TCP *:7161 (LISTEN)
snmpdm 1550 root 5u inet 0x56f80068 0t0
UDP *:snmp (Idle)
snmpdm 1550 root 6u inet 0x48213068 0t0
UDP *:* (Unbound)
And based on this, I hard-coded radmin_detect.nasl to attack port 7161 and
that caused the problem. I was able to get a trace from "nasl -T" and it is
attached.
Also, the snmpd.log file in /var/adm has messages of this sort:
GetSubagentEvent: can't malloc SubagentEvent, length = 1347175752
at line 2685 in file ../master.c
dropped pre-connect event from subagent 1
at line 2768 in file ../master.c
dropped pre-connect event from subagent 1
at line 2768 in file ../master.c
GetSubagentEvent: can't malloc SubagentEvent, length = 1347175752
at line 2685 in file ../master.c
GetSubagentEvent: can't malloc SubagentEvent, length = 1953695232
at line 2685 in file ../master.c
GetSubagentEvent: can't malloc SubagentEvent, length = 1680160590
at line 2685 in file ../master.c
GetSubagentEvent: can't malloc SubagentEvent, length = 1347175752
at line 2685 in file ../master.c
GetSubagentEvent: can't malloc SubagentEvent, length = 1953695232
at line 2685 in file ../master.c
Thanks,
Owen
-----Original Message-----
From: Renaud Deraison [mailto:[EMAIL PROTECTED]
Sent: Monday, September 22, 2003 3:59 PM
To: [EMAIL PROTECTED]
Subject: Re: radmin_detect.nasl DoS-ing snmpd?
On Mon, Sep 22, 2003 at 03:50:25PM -0500, Crow, Owen wrote:
> After running through the scan one test at a time, it appears to be
> radmin_detect.nasl that is causing the problem based on the fact that I
have
> disabled all plugins (except Ping and TCP Connect scan), enabled safe
mode,
> dependencies and optimization (.nessurc generated by NessusWX attached)
and
> stopped the scan as soon as snmpdm goes to 100%.
Some times, it takes some time for a daemon which receives bad data to
go bersek about it.
Try to only run the SNMP plugins. Is the problem still there ?
Has your snmpdm have any TCP socket open ?
hostname.log
Description: Binary data
