snmpwalk not working with a community name with a backslash in it

Discussion:

christopher.wu

2017-02-14 21:10:43 UTC

I'm trying to determine if a community name or userid can contain a backslash. I've created a v2c SNMP community name called "testing\" and I cannot get it to work with an snmpwalk (I tried with version 5.7.3 on Linux). I realize that backslash is an escape character so I made sure to account for that in the command line.

snmpwalk -m ALL -M . -v 2c -c testing\\ 10.10.11.1 sysUpTime
Timeout: No Response from 10.10.11.1

I did a trace to verify that "testing\" is sent via the network.

sudo tcpdump -n -vvv -i eth0 port 161
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:02:11.223073 IP (tos 0x0, ttl 64, id 26922, offset 0, flags [DF], proto UDP (17), length 72)
10.10.11.2.44029 > 10.10.11.1.161: [bad udp cksum 0x2a5c -> 0x6912!] { SNMPv2c C=testing\ { GetNextRequest(27) R=1008098937 .1.3.6.1.2.1.1.3 } }
19:02:12.224149 IP (tos 0x0, ttl 64, id 26989, offset 0, flags [DF], proto UDP (17), length 72)
10.10.11.2.44029 > 10.10.11.1.161: [bad udp cksum 0x2a5c -> 0x6912!] { SNMPv2c C=testing\ { GetNextRequest(27) R=1008098937 .1.3.6.1.2.1.1.3 } }
19:02:13.225253 IP (tos 0x0, ttl 64, id 27002, offset 0, flags [DF], proto UDP (17), length 72)

I even modified the code in netsnmp_udp_getSecName() to verify that "testing\" was being compared and both sides of the comparison had that value.

If I remove the backslash it works fine. Is backslash not allowed or is this a bug?

Fredrik Björk

2017-02-15 07:57:55 UTC

Permalink

Hi!

You really like to bend the rules, don't you :) Keep it up, I like it!

I tried this in a Juniper EX:

***@EX2200# show snmp | display set
set snmp community public authorization read-only
set snmp community test authorization read-only
set snmp community "test\\" authorization read-only"
set snmp community "test\\test" authorization read-only

It turned out kind of weird:

***@EX2200# show snmp
community rwcomm {
authorization read-only;
client-list-name TELE2-MGMT;
}
community public {
authorization read-only;
}
community test {
authorization read-only;
}
community "test\\" authorization read-only"; <- Not the normal
syntax, but checks out!
community "test\\test" {
authorization read-only;
}

committed and running...

snmpbulkwalk -v 2c -c 'test\\test' 10.67.11.253 SNMPv2-MIB::sysDescr -m all
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. ex2200-c-12p-2g
Ethernet Switch, kernel JUNOS 15.1R1.8, Build date: 2015-05-29 08:09:50
UTC Copyright (c) 1996-2015 Juniper Networks, Inc.

# snmpbulkwalk -v 2c -c 'test\\test' 10.67.11.253 SNMPv2-MIB::sysDescr
-m all
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. ex2200-c-12p-2g
Ethernet Switch, kernel JUNOS 15.1R1.8, Build date: 2015-05-29 08:09:50
UTC Copyright (c) 1996-2015 Juniper Networks, Inc.

tcpdump of it:

08:42:53.851825 IP (tos 0x0, ttl 64, id 61330, offset 0, flags [DF],
proto UDP (17), length 74)
10.67.11.11.50819 > 10.67.11.253.161: { SNMPv2c C=test\\test {
GetBulk(27) R=578438959 N=0 M=10 .1.3.6.1.2.1.1.1 } }
08:42:53.893568 IP (tos 0x0, ttl 64, id 8022, offset 0, flags [none],
proto UDP (17), length 400)
10.67.11.253.161 > 10.67.11.11.50819: { SNMPv2c C=test\\test {
GetResponse(349) R=578438959 .1.3.6.1.2.1.1.1.0="Juniper Networks, Inc.
ex2200-c-12p-2g Ethernet Switch, kernel JUNOS 15.1R1.8, Build date:
2015-05-29 08:09:50 UTC Copyright (c) 1996-2015 Juniper Networks, Inc."
.1.3.6.1.2.1.1.2.0=.1.3.6.1.4.1.2636.1.1.1.2.43
.1.3.6.1.2.1.1.3.0=851048621 .1.3.6.1.2.1.1.4.0=""
.1.3.6.1.2.1.1.5.0="EX2200" .1.3.6.1.2.1.1.6.0="" .1.3.6.1.2.1.1.7.0=6
.1.3.6.1.2.1.2.1.0=63 .1.3.6.1.2.1.2.2.1.1.4=4 .1.3.6.1.2.1.2.2.1.1.5=5 } }

I also tried "test\test" for community and it worked (and sent
"test\test" on the wire according to tcpdump).

So, in the Juniper case, it actually works. JunOS seems to interpret the
first "test \\" in a special way (seems to include the " in the
process), but the others work like a charm.

Even an Alcatel 6250-8M works:

# snmpbulkwalk -v 2c -c 'test\\test' 10.67.11.5 SNMPv2-MIB::sysDescr -m all
SNMPv2-MIB::sysDescr.0 = STRING: Alcatel-Lucent OS6250-8M 6.7.1.108.R04
Service Release, January 04, 2017.

That said, I wouldn't trust this method to work on any given system
without testing, so I'd strongly advise against using \ in a community
for devices where you may or may not have 100 % control of them. It
could even be that in the next software release you put on a
switch/router/... it stops working, not to mention how to use these
special communities in different NMS applications. I'm pretty sure you
can easily find a switch model that won't interpret the \ correctly in a
community. Just because it works at one point, doesn't necessaily mean
that it's a good idea to use it :)

/Fredrik

Post by christopher.wu
I'm trying to determine if a community name or userid can contain a backslash. I've created a v2c SNMP community name called "testing\" and I cannot get it to work with an snmpwalk (I tried with version 5.7.3 on Linux). I realize that backslash is an escape character so I made sure to account for that in the command line.
snmpwalk -m ALL -M . -v 2c -c testing\\ 10.10.11.1 sysUpTime
Timeout: No Response from 10.10.11.1
I did a trace to verify that "testing\" is sent via the network.
sudo tcpdump -n -vvv -i eth0 port 161
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:02:11.223073 IP (tos 0x0, ttl 64, id 26922, offset 0, flags [DF], proto UDP (17), length 72)
10.10.11.2.44029 > 10.10.11.1.161: [bad udp cksum 0x2a5c -> 0x6912!] { SNMPv2c C=testing\ { GetNextRequest(27) R=1008098937 .1.3.6.1.2.1.1.3 } }
19:02:12.224149 IP (tos 0x0, ttl 64, id 26989, offset 0, flags [DF], proto UDP (17), length 72)
10.10.11.2.44029 > 10.10.11.1.161: [bad udp cksum 0x2a5c -> 0x6912!] { SNMPv2c C=testing\ { GetNextRequest(27) R=1008098937 .1.3.6.1.2.1.1.3 } }
19:02:13.225253 IP (tos 0x0, ttl 64, id 27002, offset 0, flags [DF], proto UDP (17), length 72)
I even modified the code in netsnmp_udp_getSecName() to verify that "testing\" was being compared and both sides of the comparison had that value.
If I remove the backslash it works fine. Is backslash not allowed or is this a bug?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

christopher.wu

2017-03-06 20:49:31 UTC

Permalink

Apparently I do like to break the rules! :)

Thank you so much for taking the time to do this testing. I use com2sec (and the other items) in the snmpd.conf file to declare my v2c community strings. It turns out that there's a discrepancy with how the backslash is handled in the code. One function treats it as an escape character and another does not.

I opened a bug report and submitted a patch:

https://sourceforge.net/p/net-snmp/bugs/2765/

Post by Fredrik BjÃ¶rk
Hi!
You really like to bend the rules, don't you :) Keep it up, I like it!
set snmp community public authorization read-only
set snmp community test authorization read-only
set snmp community "test\\" authorization read-only"
set snmp community "test\\test" authorization read-only
community rwcomm {
authorization read-only;
client-list-name TELE2-MGMT;
}
community public {
authorization read-only;
}
community test {
authorization read-only;
}
community "test\\" authorization read-only"; <- Not the normal
syntax, but checks out!
community "test\\test" {
authorization read-only;
}
committed and running...
snmpbulkwalk -v 2c -c 'test\\test' 10.67.11.253 SNMPv2-MIB::sysDescr -m all
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. ex2200-c-12p-2g
Ethernet Switch, kernel JUNOS 15.1R1.8, Build date: 2015-05-29 08:09:50
UTC Copyright (c) 1996-2015 Juniper Networks, Inc.
# snmpbulkwalk -v 2c -c 'test\\test' 10.67.11.253 SNMPv2-MIB::sysDescr
-m all
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. ex2200-c-12p-2g
Ethernet Switch, kernel JUNOS 15.1R1.8, Build date: 2015-05-29 08:09:50
UTC Copyright (c) 1996-2015 Juniper Networks, Inc.
08:42:53.851825 IP (tos 0x0, ttl 64, id 61330, offset 0, flags [DF],
proto UDP (17), length 74)
10.67.11.11.50819 > 10.67.11.253.161: { SNMPv2c C=test\\test {
GetBulk(27) R=578438959 N=0 M=10 .1.3.6.1.2.1.1.1 } }
08:42:53.893568 IP (tos 0x0, ttl 64, id 8022, offset 0, flags [none],
proto UDP (17), length 400)
10.67.11.253.161 > 10.67.11.11.50819: { SNMPv2c C=test\\test {
GetResponse(349) R=578438959 .1.3.6.1.2.1.1.1.0="Juniper Networks, Inc.
2015-05-29 08:09:50 UTC Copyright (c) 1996-2015 Juniper Networks, Inc."
.1.3.6.1.2.1.1.2.0=.1.3.6.1.4.1.2636.1.1.1.2.43
.1.3.6.1.2.1.1.3.0=851048621 .1.3.6.1.2.1.1.4.0=""
.1.3.6.1.2.1.1.5.0="EX2200" .1.3.6.1.2.1.1.6.0="" .1.3.6.1.2.1.1.7.0=6
.1.3.6.1.2.1.2.1.0=63 .1.3.6.1.2.1.2.2.1.1.4=4 .1.3.6.1.2.1.2.2.1.1.5=5 } }
I also tried "test\test" for community and it worked (and sent
"test\test" on the wire according to tcpdump).
So, in the Juniper case, it actually works. JunOS seems to interpret the
first "test \\" in a special way (seems to include the " in the
process), but the others work like a charm.
# snmpbulkwalk -v 2c -c 'test\\test' 10.67.11.5 SNMPv2-MIB::sysDescr -m all
SNMPv2-MIB::sysDescr.0 = STRING: Alcatel-Lucent OS6250-8M 6.7.1.108.R04
Service Release, January 04, 2017.
That said, I wouldn't trust this method to work on any given system
without testing, so I'd strongly advise against using \ in a community
for devices where you may or may not have 100 % control of them. It
could even be that in the next software release you put on a
switch/router/... it stops working, not to mention how to use these
special communities in different NMS applications. I'm pretty sure you
can easily find a switch model that won't interpret the \ correctly in a
community. Just because it works at one point, doesn't necessaily mean
that it's a good idea to use it :)
/Fredrik

I'm trying to determine if a community name or userid can contain a backslash. I've created a v2c SNMP community name called "testing\" and I cannot get it to work with an snmpwalk (I tried with version 5.7.3 on Linux). I realize that backslash is an escape character so I made sure to account for that in the command line.
snmpwalk -m ALL -M . -v 2c -c testing\\ 10.10.11.1 sysUpTime
Timeout: No Response from 10.10.11.1
I did a trace to verify that "testing\" is sent via the network.
sudo tcpdump -n -vvv -i eth0 port 161
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:02:11.223073 IP (tos 0x0, ttl 64, id 26922, offset 0, flags [DF], proto UDP (17), length 72)
10.10.11.2.44029 > 10.10.11.1.161: [bad udp cksum 0x2a5c -> 0x6912!] { SNMPv2c C=testing\ { GetNextRequest(27) R=1008098937 .1.3.6.1.2.1.1.3 } }
19:02:12.224149 IP (tos 0x0, ttl 64, id 26989, offset 0, flags [DF], proto UDP (17), length 72)
10.10.11.2.44029 > 10.10.11.1.161: [bad udp cksum 0x2a5c -> 0x6912!] { SNMPv2c C=testing\ { GetNextRequest(27) R=1008098937 .1.3.6.1.2.1.1.3 } }
19:02:13.225253 IP (tos 0x0, ttl 64, id 27002, offset 0, flags [DF], proto UDP (17), length 72)
I even modified the code in netsnmp_udp_getSecName() to verify that "testing\" was being compared and both sides of the comparison had that value.
If I remove the backslash it works fine. Is backslash not allowed or is this a bug?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-users