Bugtraq mailing list archives
Re: 3Com switches - undocumented access level.
From: mrichich () DRUNIVAC DREW EDU (Mike Richichi)
Date: Tue, 5 May 1998 15:13:53 -0400
-- Eric Monti wrote:
PROBLEM: There appears to be a backdoor/undocumented "access level" in current (and possibly previous) versions of 3Com's "intelligent" and "extended" switching software for LanPlex/Corebuilder switches. In addition to the "admin", "read", and "write" accounts, there is a "debug" account with a password of "synnet" on shipped images (including those available for download from infodeli.3com.com). The versions of firmware this was tested under include 7.0.1 and 8.1.1. The debug account appears to have all the privileges of the admin account plus some "debug" commands not available to any other ID. IMPACT: If you allow "remote administration" (telnet access), well... yeah. FIX: Login to the switch with the debug/synnet combo and use the "system password" command to change this to something non-default. You wont be able to change the password using the admin account.
It's even worse than it first appears, BTW. Not only is this backdoor password there, but you can change all the other access passwords from the "debug" account without having to know the old passwords. So, someone can lock you out of your switch completely. In addition, they can get to the "underlying OS shell", which looks like a very fun place to completely screw things up. I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x and 8.x) and the CoreBuilder 3500 (ver 1.0.0.) I almost cried when I had a hardware failure and the 3Com tech told me about this backdoor. --Mike -------------------- Mike Richichi, Assistant Director, Drew University Academic Technology BC-COMPCEN, Madison, NJ 07940 +1 973 408 3840 FAX: +1 973 408 3995 mailto:mrichich () drunivac drew edu http://daniel.drew.edu/~mrichich "There are only two businesses who call their customers 'users'" -E. Tufte
Current thread:
- Re: 3Com switches - undocumented access level. Mike Richichi (May 05)
- Re: 3Com switches - undocumented access level. Doug Hughes (May 06)
- <Possible follow-ups>
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Jean-Francois Malouin (May 06)
- Re: 3Com switches - undocumented access level. Riku Meskanen (May 07)
- dip 3.3.7 exploit jamez (May 07)
- dip-3.3.7o exploit zef (May 07)
- Re: 3Com switches - undocumented access level. Eric Monti (May 07)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- NSCA HTTPD (for Windows) bug. Renos (May 08)