CVE-1999-1581

Step 1: Packet Crafting: The attacker crafts a series of SNMP packets. Each packet contains a large number of Object Identifiers (OIDs).

Step 2: OID Corruption: The attacker ensures that the OIDs within the packets are invalid or malformed, causing the SNMP agent to fail to decode them.

Step 3: Packet Transmission: The attacker sends the crafted SNMP packets to the vulnerable Windows NT 4.0 system, targeting the SNMP agent (snmp.exe) on UDP port 161.

Step 4: Memory Allocation: The SNMP agent receives and attempts to process each packet. Due to the invalid OIDs, the agent allocates memory to handle the packet but fails to release it.

Step 5: Memory Leak: The agent continues to allocate memory for each malformed packet, leading to a memory leak.

Step 6: Resource Exhaustion: The memory leak consumes system resources, eventually exhausting available memory.

Step 7: Denial of Service: The system becomes unresponsive or crashes due to the lack of available memory, resulting in a denial-of-service condition.

The vulnerability lies within the snmp.exe agent's handling of SNMP packets containing invalid or undecodable Object Identifiers (OIDs). When the agent encounters an invalid OID, it fails to properly release the memory allocated to process that packet. Repeatedly sending packets with invalid OIDs causes the agent to continuously allocate memory without releasing it, leading to a memory leak. This eventually exhausts available system memory, causing the system to become unresponsive or crash. The root cause is a lack of proper error handling and memory management within the SNMP agent's OID parsing routines. Specifically, the agent fails to free allocated memory when it encounters an invalid OID, leading to a gradual accumulation of leaked memory.