Date: Tue, 5 May 1998 12:33:09 -0500
From: Eric Monti <monti@MAIL.NETURAL.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: 3Com switches - undocumented access level.
I dont know if this is known or documented elsewhere but it took me by
suprise, so here goes.
The recent posts about the rcon user in quake servers have reminded me
that I still havent heard back from 3Com about the following "feature". My
experience has shown that switches are not as much missle chucking fun as
quake, but that isnt to say you cant play games on one. <hyuk>
PROBLEM:
There appears to be a backdoor/undocumented "access level" in current (and
possibly previous) versions of 3Com's "intelligent" and "extended"
switching software for LanPlex/Corebuilder switches. In addition to the
"admin", "read", and "write" accounts, there is a "debug" account with a
password of "synnet" on shipped images (including those available for
download from infodeli.3com.com). The versions of firmware this was tested
under include 7.0.1 and 8.1.1. The debug account appears to have all the
privileges of the admin account plus some "debug" commands not available
to any other ID.
IMPACT:
If you allow "remote administration" (telnet access), well... yeah.
FIX:
Login to the switch with the debug/synnet combo and use the "system
password" command to change this to something non-default. You wont be
able to change the password using the admin account.
Date: Tue, 5 May 1998 15:13:53 -0400
From: Mike Richichi <mrichich@DRUNIVAC.DREW.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.
--
Eric Monti wrote:
>
> PROBLEM:
> There appears to be a backdoor/undocumented "access level" in current (and
> possibly previous) versions of 3Com's "intelligent" and "extended"
> switching software for LanPlex/Corebuilder switches. In addition to the
> "admin", "read", and "write" accounts, there is a "debug" account with a
> password of "synnet" on shipped images (including those available for
> download from infodeli.3com.com). The versions of firmware this was tested
> under include 7.0.1 and 8.1.1. The debug account appears to have all the
> privileges of the admin account plus some "debug" commands not available
> to any other ID.
>
> IMPACT:
> If you allow "remote administration" (telnet access), well... yeah.
>
> FIX:
> Login to the switch with the debug/synnet combo and use the "system
> password" command to change this to something non-default. You wont be
> able to change the password using the admin account.
It's even worse than it first appears, BTW. Not only is this backdoor password
there, but you can change all the other access passwords from the "debug"
account without having to know the old passwords. So, someone can lock you out
of your switch completely. In addition, they can get to the "underlying OS
shell", which looks like a very fun place to completely screw things up.
I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x
and 8.x) and the CoreBuilder 3500 (ver 1.0.0.) I almost cried when I
had a hardware failure and the 3Com tech told me about this backdoor.
--Mike
--------------------
Mike Richichi, Assistant Director, Drew University Academic Technology
BC-COMPCEN, Madison, NJ 07940 +1 973 408 3840 FAX: +1 973 408 3995
mailto:mrichich@drunivac.drew.edu http://daniel.drew.edu/~mrichich
"There are only two businesses who call their customers 'users'" -E. Tufte
Date: Wed, 6 May 1998 16:28:06 -0400
From: Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.
On Wed, May 06, 1998 at 09:59:45AM -0300, Durval Menezes wrote:
> Hello,
>
> Just checked my 3Com Superstack II intelligent hub and Switches (they have
> a similar Telnet interface) and they appear NOT to have this backdoor
> (humm, or does the backdoor use a different username/password? I wonder...)
>
> Best Regards,
> --
> Durval Menezes (durval@tmp.com.br, http://www.tmp.com.br/~durval)
well, I can confirm that the 3Com LANplex 2500 (rev 7.15)
with Version 7.0.1-19 - Built 01/17/97 02:41:17 PM
is open to this backdoor...well, not anymore... ;)
jf
--
J.-F. Malouin, System/Network Manager, Email: <malin@bic.mni.mcgill.ca>
Brain Imaging Center, McGill U., 3801 University St, Montreal, Que., H3A 2B4
Voice:(514)398-8924, Fax:(514)398-8948, PGP: finger malin@bic.mni.mcgill.ca
"Reality is that which, when you stop believing in it, doesn't go away." PKD
Date: Thu, 7 May 1998 21:56:26 +0300
From: Riku Meskanen <mesrik@cc.jyu.fi>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.
On Wed, 6 May 1998, Durval Menezes wrote:
> Hello,
>
> > PROBLEM:
> > There appears to be a backdoor/undocumented "access level" in current (and
> > possibly previous) versions of 3Com's "intelligent" and "extended"
> > switching software for LanPlex/Corebuilder switches.
>
> Just checked my 3Com Superstack II intelligent hub and Switches (they have
> a similar Telnet interface) and they appear NOT to have this backdoor
> (humm, or does the backdoor use a different username/password? I wonder...)
>
No but unfortunately there is another "tech" user that took me
only about 20min to dig out from compressed image. Same pair
works for CellPlex 7000 :(
The username is tech, as is the password.
I'll think that 3Com should be informed to release a security
advisory ASAP.
Telnet, V1.0, 3Com NCD, 1996
LinkSwitch 2700 Rev 1.0
Software version Ver. 3.50 - Built Sep 11 1997 11:21:13
Select access level (read, write, admin): tech
Password: ****
LinkSwitch 2700 Rev 1.0 Administration Console
Accessed at tech access level.
main menu:
==========
[1] system - Administer System level functions ->
[2] ethernet - Administer Ethernet ports ->
[3] bridge - Administer Bridging ->
[4] atm - Administer ATM resources ->
[5] le - Administer LAN Emulation Clients ->
[6] vns - Administer Virtual Networks configuration ->
[7] management - Administer IP and SNMP ->
[8] quit - Logout of the administration console
[9] fast - Fast Setup
[10] tech - Special technician options ->
'\' - Main menu '-' - Prev menu
> quiConnection closed by foreign host.
Use tech/system/password to set new password.
Telnet, V1.0, 3Com NCD, 1996
-------------------------------
- CELLplex 7000 -
- -
- ATM Backbone Switch -
-------------------------------
Access level (read, write, admin):tech
Password: ****
CP7000 switch module - Main Menu:
(1) SYS: Platform config ->
(2) LEM: Lan Emulation ->
(3) CON: Connections ->
(4) STS: Statistics ->
(5) DIA: Testing & Diagnostics ->
(6) FTR: ATM features
(7) LOG: Logout
(8) VER: Version
(9) FST: Fast Setup
(10) DBG: Debug ->
[ '\' -Main, '-' -Back in menus]
[ '=0'-To switch, '=n'-To i/f card n (1-4)]
>
>7
Connection closed by foreign host.
Use (1)SYS\(1)SET\(2)PAS> to set new password.
Ok, now how about models 1000 and 3000 ?
:-) riku
--
[ This .signature intentionally left blank ]
Date: Fri, 8 May 1998 11:35:56 -0500
From: Aleph One <aleph1@nationwide.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.
This is a summary of a number of posts. Please, if you will be reporting
a system as vulnerable or not always include the software version you are
using.
Peter Mount <peter@maidstone.gov.uk> mentions that his LinkSwitch does
have the backdoor. His software version is:
-> version
VxWorks (for LinkSwitch 2000) version 5.0.2b.
Kernel: WIND version 2.0.
Made on Wed Dec 18 22:27:52 EST 1996.
Boot line:
pcmcia(0,0) f=0x20008
value = 33 = 0x21 = '!'
Riku Meskanen <mesrik@cc.jyu.fi> reports that the CellPlex 1000 doesn't
seem to have the tech user backdoor. He fails to mention the software
version.
Alan Cox <alan@lxorguk.ukuu.org.uk> mentions that when he worked for 3com
there was no useful security contacts. The also states that 3com is
divided into units. Each unit is very independent and will often use
different code bases. So a given problem is likely to hit one section of
3com products only.
Could someone check the following 3com products: Accessbuilder,
Netbuilder.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Date: Sun, 10 May 1998 18:31:34 -0500
From: Michael Mittelstadt <meek@EXECPC.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.
[Quoth Sasha Egan]
] Sorry about this, I forgot to mention it..
]
] To get the interview with the network tech at 3Com, I had to list myself
] as a primary contact...if you need any information from me:
] my phone number is (505) 861-4981
] My pager is (505) 875-8866
] just in case...
It might also be worth mentioning to 3Com that the enterprise MIB (at
least for the Corebuilder 3500) contains the passwords and the snmp
keys for the box. If some poor sap sets their SNMP key to something
guessable (like, oh, I dunno, 'public'), you can get the admin
password and SNMP key with these:
enterprises.synernetics.lanplex.lanplexSystemsMib.1.19.0 = "password"
enterprises.synernetics.lanplex.lanplexSystemsMib.6.7.0 = "public"
I don't know what the wisdom of putting the password in the MIB is.
This is true with both software release 1.0 and 1.1 on the Corebuilder
3500. And since it's the synernetics enterprise MIB, it's my educated
guess that this info is on other corebuilder and lanplex boxen.
With release 1.0 on the corebuilder, I also had the misfortune of
being able to reboot the box by sending a lot of UDP traffic to it's
administrative port. Being paranoid, I ran netcat against it, wanting
to know what ports it listened on. About 10 seconds later, it
reboots. rel 1.1 seems more robust.
IMHO, the Corebuilder 3500 just feels like a product that went out the
door too fast to be early to market, without giving security or
robustness enough of a thought.
--
Michael Mittelstadt meek@execpc.com
VP - Internet Techologies ExecPC Internet
http://www.execpc.com/~meek 1-800-ExecPC-1
Date: Sat, 9 May 1998 12:57:35 +0300
From: Riku Meskanen <mesrik@cc.jyu.fi>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.)
On Fri, 8 May 1998, Aleph One wrote:
> Riku Meskanen <mesrik@cc.jyu.fi> reports that the CellPlex 1000 doesn't >
seem to have the tech user backdoor. He fails to mention the software >
version.
>
Ehem, Model 1000 and 3000 are SuperStacks. There is no CellPlex 1000.
SuperStack 2700, formerly LinkSwitch 2700 (basically same stuff with little
difference in chassis), is ethernet switch which can be equiped wit ATM
interface.
CellPlex (model 7000 or newer 7000HD) is just a plain ATM-switch.
I'm sorry about my bad english which may have confused you.
About the versions. The LinkSwitch softare version tested (later sold as
SuperStack 2700) was on my first post (shown on login screen), but here is
it again.
LinkSwitch 2700 Rev 1.0
Software version Ver. 3.50 - Built Sep 11 1997 11:21:13
The CellPlex "(8) VER: Version" -option from main menu shows,
CELLplex Software Versions:
Switch Management version: 3.25
Internal Communication version: 3.2
I/F Control Card 1 version: Ver. 3.20
I/F Control Card 2 version: Ver. 3.20
4-PB FPGA Transmit version: 1.0
4-PB FPGA Receive version: 2.3
8-PB FPGA Transmit version: 3.2
8-PB FPGA Receive version: 3.2
ALC type: ALC_87
R&D version: 3.20N
DATE Feb 16 1997: TIME 23:17:24
I can also confirm that debug/synnet worked here for LANPlex2500 which
system/display shows following.
LANplex 2500 (rev 7.19) - System ID 0bc906 Extended Switching Software
Version 7.0.1 - Built 06/12/96 05:48:41 PM
But then some new stuff :)
Q: Right, but how about SuperStack II Switch 1000, does it has
undocumented access level?
1. Yes, try username "monitor", with password "monitor".
Version Numbers
Hardware Version: 3
Upgradable Software Version: 3.21
Boot Software Version: 3.10
Q: Is the SuperStack II Switch 3000 also affected, as it's basically
same the same family line.
1. Yes, try same username/password pair monitor/monitor. The tested
system has version information.
Version Numbers
Hardware Version: 5
Upgradable Software Version: 3.10
Boot Software Version: 2.10
Q: How did you find these strings.
1. There are two Motorola S format (srec) files in LS1K3_10.SLX (software
for SuperStack II 1000) and LS3K3_10.SLX (software for SuperStack II
3000).
Extract the first file, ie. the lines begining
with "S", then
$ strings --target=srec sfile | less
Or if you like to take a better view to the file
you may
$ objcopy -I srec -O binary sfile bfile
to produce raw binary image in bfile.
The strings and obcopy are part of the GNU binutils.
Here is also some info how I did get the CellPlex 7000 and LinkSwitch 2700
strings if someone else would like to take a look.
You need the file ATMMAIN.SL (CellPlex 7000 tftp loadable image). You can
find there is a standard PKZIP header beginning offset 0xE34.
00000e30 446d0008 1f8b0000 1f9e0000 504b0304 Dm..........PK.. 00000e40
00000000 0a206e6f 7420696e 20677a69 ..... not in gzi 00000e50 7020666f
726d6174 0a000000 00000000 p format........
Duh, "1f8b" following the standard PKZIP header shows clearly,
$ dd if=ATMMAIN.SL bs=`echo "ibase=16; E34;" | bc -q` skip=1 >fish.zip
145+1 records in
145+1 records out
$ unzip fish
Archive: fish.zip
warning [fish.zip]: 46300 extra bytes at beginning or within zipfile
(attempting to process anyway)
replace ATMSW.STR? [y]es, [n]o, [A]ll, [N]one, [r]ename: A inflating:
ATMSW.STR
$
You should not have any trouble locating the plain username and password
strings from ATMSW.STR
Anybody still believe there is a product from 3Com that has no backdoor?
<sigh>.
:-) riku
--
Riku Meskanen <mesrik@cc.jyu.fi> also as: root@jyu.fi, hostmaster@jyu.fi,
Systems and network administrator hostmaster@co.jyu.fi, etc.
University of Jyvaskyla Voice: +358 14 60 3580
PO-BOX 35, FI-40351 JYVASKYLA, Finland Fax: +358 14 60 3611 From
aleph1@NATIONWIDE.NET Thu May 14 18:29:48 1998 Date: Sun, 10 May 1998
14:41:37 -0500
From: Aleph One <aleph1@NATIONWIDE.NET> To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.)
Summary of multiple posts on the subject:
Riku Meskanen <mesrik@cc.jyu.fi>
LanPlex2500/Corebuilder
- login: debug
- password: synnet
LinkSwitch 2700, SuperStack 2700, CellPlex 7000 - login: tech
- password: tech
SuperStack II 1000 ja SuperStack II 3000 - login: monitor
- password: monitor
Joel Moses <jmoses@dttus.com>
CoreBuilder 7000-series has the problem. It is safe to change that password
on this model. Please note that if you have multiple management cards, each
one will have the password enabled.
Philippe Regnauld <regnauld@deepo.prosa.dk>
Netbuilder 2xx (v. SW/NBRO-AB,9.1): Nothing so far.
James Robertson <james@hal.utmb.edu>
I have checked Netbulder Version 8.4 up to 10.1. None of these versions
have a backdoor that I know of. I also scanned the boot images for any
hints, none found so far.
Also, Superstack II Switch 1100, 3000, 3300 do not have the 'tech' backdoor
nor does a scan of the boot image show any hints of the same.
There is another way to gain access to a Netbuilder. All 3Com Netbuilders
support a remote command. The remote command comes with RBCS ( Remote Boot
and Configuration Services ) and Transcend Management Suite.
If you are root on a Netbuilder and know the address of someone elses
Netbuilder you can remote to their Netbuiler from yours and gain root
privelages.
Fix:
Under System Options, Limit remote access connections to a single station
or single subnet.
SHow -SYS RemoteManager
------------------------------------------------------------------------
Remote-In allowed from the following addresses:
your.ip.subnet.here your.ip.addr.here
------------------------------------------------------------------------
Adam Spiers <adam@thelonious.new.ox.ac.uk>
My LANplex 2500 seems vulnerable:
LANplex 2500 (rev 6.20) - System ID 049bff Software version 4.3.0-7 - Built
11/10/95 03:49:46 PM
The debug user id is clearly visible in an ASCII dump of the 4.3.0-20 image
downloadable from ftp.3com.com.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
