Re: 3Com switches - undocumented access level.

[mrichich () DRUNIVAC DREW EDU (Mike Richichi)]

--

Eric Monti wrote:
>

> PROBLEM:
> There appears to be a backdoor/undocumented "access level" in current (and
> possibly previous) versions of 3Com's "intelligent" and "extended"
> switching software for LanPlex/Corebuilder switches. In addition to the
> "admin", "read", and "write" accounts, there is a "debug" account with a
> password of "synnet" on shipped images (including those available for
> download from infodeli.3com.com). The versions of firmware this was tested
> under include 7.0.1 and 8.1.1. The debug account appears to have all the
> privileges of the admin account plus some "debug" commands not available
> to any other ID.
>
> IMPACT:
> If you allow "remote administration" (telnet access), well... yeah.
>
> FIX:
> Login to the switch with the debug/synnet combo and use the "system
> password" command to change this to something non-default. You wont be
> able to change the password using the admin account.

It's even worse than it first appears, BTW.  Not only is this backdoor password
there, but you can change all the other access passwords from the "debug"
account without having to know the old passwords.  So, someone can lock you out
of your switch completely.  In addition, they can get to the "underlying OS
shell", which looks like a very fun place to completely screw things up.

I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x
and 8.x) and the CoreBuilder 3500 (ver 1.0.0.)  I almost cried when I
had a hardware failure and the 3Com tech told me about this backdoor.

--Mike

--------------------
Mike Richichi, Assistant Director,     Drew University Academic Technology
BC-COMPCEN, Madison, NJ 07940        +1 973 408 3840  FAX: +1 973 408 3995
mailto:mrichich () drunivac drew edu         http://daniel.drew.edu/~mrichich
"There are only two businesses who call their customers 'users'" -E. Tufte