[ http://www.rootshell.com/ ] Date: Tue, 5 May 1998 12:33:09 -0500 From: Eric Monti Subject: 3Com switches - undocumented access level. I dont know if this is known or documented elsewhere but it took me by suprise, so here goes. The recent posts about the rcon user in quake servers have reminded me that I still havent heard back from 3Com about the following "feature". My experience has shown that switches are not as much missle chucking fun as quake, but that isnt to say you cant play games on one. PROBLEM: There appears to be a backdoor/undocumented "access level" in current (and possibly previous) versions of 3Com's "intelligent" and "extended" switching software for LanPlex/Corebuilder switches. In addition to the "admin", "read", and "write" accounts, there is a "debug" account with a password of "synnet" on shipped images (including those available for download from infodeli.3com.com). The versions of firmware this was tested under include 7.0.1 and 8.1.1. The debug account appears to have all the privileges of the admin account plus some "debug" commands not available to any other ID. IMPACT: If you allow "remote administration" (telnet access), well... yeah. FIX: Login to the switch with the debug/synnet combo and use the "system password" command to change this to something non-default. You wont be able to change the password using the admin account. --------------------------------------------------------------------------- Date: Tue, 5 May 1998 15:13:53 -0400 From: Mike Richichi Subject: Re: 3Com switches - undocumented access level. -- Eric Monti wrote: > > PROBLEM: > There appears to be a backdoor/undocumented "access level" in current (and > possibly previous) versions of 3Com's "intelligent" and "extended" > switching software for LanPlex/Corebuilder switches. In addition to the > "admin", "read", and "write" accounts, there is a "debug" account with a > password of "synnet" on shipped images (including those available for > download from infodeli.3com.com). The versions of firmware this was tested > under include 7.0.1 and 8.1.1. The debug account appears to have all the > privileges of the admin account plus some "debug" commands not available > to any other ID. > > IMPACT: > If you allow "remote administration" (telnet access), well... yeah. > > FIX: > Login to the switch with the debug/synnet combo and use the "system > password" command to change this to something non-default. You wont be > able to change the password using the admin account. It's even worse than it first appears, BTW. Not only is this backdoor password there, but you can change all the other access passwords from the "debug" account without having to know the old passwords. So, someone can lock you out of your switch completely. In addition, they can get to the "underlying OS shell", which looks like a very fun place to completely screw things up. I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x and 8.x) and the CoreBuilder 3500 (ver 1.0.0.) I almost cried when I had a hardware failure and the 3Com tech told me about this backdoor. --Mike -------------------- Mike Richichi, Assistant Director, Drew University Academic Technology BC-COMPCEN, Madison, NJ 07940 +1 973 408 3840 FAX: +1 973 408 3995 mailto:mrichich@drunivac.drew.edu http://daniel.drew.edu/~mrichich "There are only two businesses who call their customers 'users'" -E. Tufte --------------------------------------------------------------------------- Date: Wed, 6 May 1998 09:33:53 -0500 From: Doug Hughes Subject: Re: 3Com switches - undocumented access level. It appears (thankfully!) that the LinkSwitch product line does not have this debug back door (at least not the firmware version that we are using, and at least not with the synnet password). ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu --------------------------------------------------------------------------- Date: Wed, 6 May 1998 09:59:45 -0300 From: Durval Menezes Subject: Re: 3Com switches - undocumented access level. Hello, > PROBLEM: > There appears to be a backdoor/undocumented "access level" in current (and > possibly previous) versions of 3Com's "intelligent" and "extended" > switching software for LanPlex/Corebuilder switches. Just checked my 3Com Superstack II intelligent hub and Switches (they have a similar Telnet interface) and they appear NOT to have this backdoor (humm, or does the backdoor use a different username/password? I wonder...) Best Regards, -- Durval Menezes (durval@tmp.com.br, http://www.tmp.com.br/~durval) --------------------------------------------------------------------------- Date: Wed, 6 May 1998 14:50:37 -0300 From: Durval Menezes Subject: Re: 3Com switches - undocumented access level. Hello again, A little update: just checked an ASCII dump of the FMS-II Superstack Hub firmware (3Com's P/N 3c16630a) looking for undocumented username/password strings and didn't find any... that doen't mean that there isn't one, through. BTW: Don't you love it when your trusty vendor sticks security backdoors in their products? :-( I used to recomend 3Com products to my clients but now I'm starting to have second thoughts... > > PROBLEM: > > There appears to be a backdoor/undocumented "access level" in current (and > > possibly previous) versions of 3Com's "intelligent" and "extended" > > switching software for LanPlex/Corebuilder switches. > > Just checked my 3Com Superstack II intelligent hub and Switches (they have > a similar Telnet interface) and they appear NOT to have this backdoor > (humm, or does the backdoor use a different username/password? I wonder...) Best Regards, -- Durval Menezes (durval@tmp.com.br, http://www.tmp.com.br/~durval) --------------------------------------------------------------------------- Date: Wed, 6 May 1998 16:28:06 -0400 From: Jean-Francois Malouin Subject: Re: 3Com switches - undocumented access level. On Wed, May 06, 1998 at 09:59:45AM -0300, Durval Menezes wrote: > Hello, > > Just checked my 3Com Superstack II intelligent hub and Switches (they have > a similar Telnet interface) and they appear NOT to have this backdoor > (humm, or does the backdoor use a different username/password? I wonder...) > > Best Regards, > -- > Durval Menezes (durval@tmp.com.br, http://www.tmp.com.br/~durval) well, I can confirm that the 3Com LANplex 2500 (rev 7.15) with Version 7.0.1-19 - Built 01/17/97 02:41:17 PM is open to this backdoor...well, not anymore... ;) jf -- J.-F. Malouin, System/Network Manager, Email: Brain Imaging Center, McGill U., 3801 University St, Montreal, Que., H3A 2B4 Voice:(514)398-8924, Fax:(514)398-8948, PGP: finger malin@bic.mni.mcgill.ca "Reality is that which, when you stop believing in it, doesn't go away." PKD --------------------------------------------------------------------------- Date: Thu, 7 May 1998 21:56:26 +0300 From: Riku Meskanen Subject: Re: 3Com switches - undocumented access level. On Wed, 6 May 1998, Durval Menezes wrote: > Hello, > > > PROBLEM: > > There appears to be a backdoor/undocumented "access level" in current (and > > possibly previous) versions of 3Com's "intelligent" and "extended" > > switching software for LanPlex/Corebuilder switches. > > Just checked my 3Com Superstack II intelligent hub and Switches (they have > a similar Telnet interface) and they appear NOT to have this backdoor > (humm, or does the backdoor use a different username/password? I wonder...) > No but unfortunately there is another "tech" user that took me only about 20min to dig out from compressed image. Same pair works for CellPlex 7000 :( The username is tech, as is the password. I'll think that 3Com should be informed to release a security advisory ASAP. Telnet, V1.0, 3Com NCD, 1996 LinkSwitch 2700 Rev 1.0 Software version Ver. 3.50 - Built Sep 11 1997 11:21:13 Select access level (read, write, admin): tech Password: **** LinkSwitch 2700 Rev 1.0 Administration Console Accessed at tech access level. main menu: ========== [1] system - Administer System level functions -> [2] ethernet - Administer Ethernet ports -> [3] bridge - Administer Bridging -> [4] atm - Administer ATM resources -> [5] le - Administer LAN Emulation Clients -> [6] vns - Administer Virtual Networks configuration -> [7] management - Administer IP and SNMP -> [8] quit - Logout of the administration console [9] fast - Fast Setup [10] tech - Special technician options -> '\' - Main menu '-' - Prev menu > quiConnection closed by foreign host. Use tech/system/password to set new password. Telnet, V1.0, 3Com NCD, 1996 ------------------------------- - CELLplex 7000 - - - - ATM Backbone Switch - ------------------------------- Access level (read, write, admin):tech Password: **** CP7000 switch module - Main Menu: (1) SYS: Platform config -> (2) LEM: Lan Emulation -> (3) CON: Connections -> (4) STS: Statistics -> (5) DIA: Testing & Diagnostics -> (6) FTR: ATM features (7) LOG: Logout (8) VER: Version (9) FST: Fast Setup (10) DBG: Debug -> [ '\' -Main, '-' -Back in menus] [ '=0'-To switch, '=n'-To i/f card n (1-4)] > >7 Connection closed by foreign host. Use (1)SYS\(1)SET\(2)PAS> to set new password. Ok, now how about models 1000 and 3000 ? :-) riku -- [ This .signature intentionally left blank ] --------------------------------------------------------------------------- Date: Fri, 8 May 1998 11:35:56 -0500 From: Aleph One Subject: Re: 3Com switches - undocumented access level. This is a summary of a number of posts. Please, if you will be reporting a system as vulnerable or not always include the software version you are using. Peter Mount mentions that his LinkSwitch does have the backdoor. His software version is: -> version VxWorks (for LinkSwitch 2000) version 5.0.2b. Kernel: WIND version 2.0. Made on Wed Dec 18 22:27:52 EST 1996. Boot line: pcmcia(0,0) f=0x20008 value = 33 = 0x21 = '!' Riku Meskanen reports that the CellPlex 1000 doesn't seem to have the tech user backdoor. He fails to mention the software version. Alan Cox mentions that when he worked for 3com there was no useful security contacts. The also states that 3com is divided into units. Each unit is very independent and will often use different code bases. So a given problem is likely to hit one section of 3com products only. Could someone check the following 3com products: Accessbuilder, Netbuilder. Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01