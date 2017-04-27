In a Security Week article by Ionut Arghir about a newly discovered SNMP vulnerability which allows authentication mechanisms to be bypassed on dozens of network device models (more detail here and here), the author included a link to a github repository (https://github.com/string-bleed/StringBleed-CVE-2017-5135 -- Don't compile and execute the code, but by all means take a look) which purports to be a proof-of-concept (POC) exploit of the vulnerability. However, it's not. It's a trojan which will exfiltrate data from your system.

From the Security Week article:

The issue, the researchers say [this is the link to the trojaned "POC"], resides in the manner in which the SNMP agent in different devices (usually cable modems) handles a human-readable string datatype value called "community string" that SNMP version 1 and 2 use.

The folks at Mitre (who manage the CVE database) caught this and make mention of the issue in their DB entry:

Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco) DPC3928SL with firmware D3928SL-P15-13-A386-c3420r55105-160127a could be reached by any SNMP community string from the Internet; also, you can write in the MIB because it provides write properties, aka Stringbleed. NOTE: the string-bleed/StringBleed-CVE-2017-5135 GitHub repository is not a valid reference as of 2017-04-27; it contains Trojan horse code purported to exploit this vulnerability.

The github repository contains a license, a readme, a Makefile and one source file, poc-linux.c. Looking at the C code, it's immediately clear that this is *not* an SNMP exploit (extracts from poc-linux.c):