nv-l
[Top] [All Lists]

[nv-l] Re: [NV-L] Varbinds contained an illegal character

To: nv-l@lists.tivoli.com
Subject: [nv-l] Re: [NV-L] Varbinds contained an illegal character
From: netview@toddh.net
Date: Tue, 12 Feb 2002 16:33:30 -0600
Reply-to: nv-l@tkg.com
"Milburn, Shane B" <shane.b.milburn@intel.com> writes:
> I'm getting the following error message in trapd.log about an illegal
character in varbinds. What is this
> and why am I getting it? How do I fix this?

This message is a feature of the security efix netview released in
response to CERT advisory:
        http://www.cert.org/advisories/CA-2001-24.html

Basically, it is keeping you from opening a rather large hole in your
system to a would-be intruder.  Without the fix,  someone could send
you a sufficiently malformed snmpv1 trap with a varbind chock full of
the right shell metacharacters.  If this were passed to an external
script in your environment, it opened the door to the possibility of
an attacker running arbitrary commands in root context (or whatever
user the Netview server is running as). 

To address this underlying security problem with SNMPv1's
non-authenticated handling of unsolicited traps, NetView does stuff to
all non-alphanumeric characters within traps.     By default on the
unix side, it prepends backslashes to all periods it encounters as
well as any characters added to the AdditionalLegalTrapCharacters
environment variable.   All other alphanumerics, it indiscriminately
replaces with the _ character. 

In the fix notes, Tivoli provides a sed command for removing the \
from the periods.  You may have to do this in several scripst. 

You should treat trap varbind data as "tainted" and script carefully
just as you would in processing user data submitted via a CGI form on
a web page to prevent an imbedded string of say `rm -rf /*`  or in
windows `echo y | deltree c:\winnt`  in a varbind from doing something
rather nasty to your installation.  


> One or more varbinds contained an illegal character.
> Sanitized version of the command:
>  perl D:\usr\local\OV\bin\autoPageMail.pl rf212-cs659-b.ra.intel.com
"Cisco_Link_Up Slot/Port=1_2"

>From the looks of this, perhaps your name for the Cisco Link Up trap
included a non-alphanumeric. 

-- 
Todd H.
http://www.toddh.net/

<Prev in Thread] Current Thread [Next in Thread>
  • [nv-l] Re: [NV-L] Varbinds contained an illegal character, netview <=

Archive operated by Skills 1st Ltd

See also: The NetView Web