Someone with a bit more ASN.1 encoding experience may wish to comment on
my analysis.
jose.quinto@xxxxxxxxxxxxxxx wrote:
> To ethereal users,
>
> I'm encountering one SNMP Get-Next request
> with a [Malformed Packet: SNMP] in it.
>
> The request in the captured data file attached is at
>
> 117 .... SNMP RESPONSE IF-MIB::ifSpecific.1[Malformed Packet]
> ... << up to >>
> 120 .... SNMP GET-NEXT IF-MIB::ifSpecific.2[Malformed Packet]
>
> I wonder why is this happening, even if i test the GET request, it still
> has a malformed packet
> in the ifSpecific part also.
>
> Please refer to the attached captured file for the details.
>
It would have been a bit simpler if you had only included the SNMP traffic.
Your first malformed packet is:
0000 00 11 2f 27 de d6 00 50 81 20 00 00 08 00 45 00 ../'...P. ....E.
0010 00 47 00 38 00 00 40 11 4c 8b c0 a8 d6 4f c0 a8 [email protected]..
0020 d6 42 00 a1 05 b1 00 33 ab d4 30 29 02 01 00 04 .B.....3..0)....
0030 06 70 75 62 6c 69 63 a2 1c 02 01 34 02 01 00 02 .public....4....
0040 01 00 30 11 30 0f 06 0a 2b 06 01 02 01 02 02 01 ..0.0...+.......
0050 16 01 06 01 d0 .....
The bit Ethereal considers malformed is the last 3 bytes - 06 01 d0
06 - ASN.1 type OID
01 - encoded length is 1 byte
d0 - the OID value
d0 has the high bit set, meaning there should be more bytes to the
subidentifier but the data has length 1, hence the packet is malformed.
In an SNMP process with less strict parsing this may produce a buffer
overflow.
There are other errors which you may not have noticed.
IF-MIB::ifSpeed is returning INTEGER and should be Gauge32 or Unsigned32.
What is the SNMP agent?
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who