Bugtraq mailing list archives

Re: 3Com switches - undocumented access level.

From: mesrik () cc jyu fi (Riku Meskanen)
Date: Thu, 7 May 1998 21:56:26 +0300


On Wed, 6 May 1998, Durval Menezes wrote:

Hello,

PROBLEM:
There appears to be a backdoor/undocumented "access level" in current (and
possibly previous) versions of 3Com's "intelligent" and "extended"
switching software for LanPlex/Corebuilder switches.


Just checked my 3Com Superstack II intelligent hub and Switches (they have
a similar Telnet interface) and they appear NOT to have this backdoor
(humm, or does the backdoor use a different username/password? I wonder...)

No but unfortunately there is another "tech" user that took me
only about 20min to dig out from compressed image. Same pair
works for CellPlex 7000 :(

The username is tech, as is the password.

I'll think that 3Com should be informed to release a security
advisory ASAP.

Telnet, V1.0, 3Com NCD, 1996

LinkSwitch 2700 Rev 1.0
Software version Ver.  3.50  - Built Sep 11 1997 11:21:13

Select access level (read, write, admin): tech
Password: ****

LinkSwitch 2700 Rev 1.0 Administration Console
Accessed at tech access level.

main menu:
==========
   [1] system        - Administer System level functions ->
   [2] ethernet      - Administer Ethernet ports ->
   [3] bridge        - Administer Bridging ->
   [4] atm           - Administer ATM resources ->
   [5] le            - Administer LAN Emulation Clients ->
   [6] vns           - Administer Virtual Networks configuration ->
   [7] management    - Administer IP and SNMP ->
   [8] quit          - Logout of the administration console
   [9] fast          - Fast Setup
  [10] tech          - Special technician options ->

'\' - Main menu   '-' - Prev menu

quiConnection closed by foreign host.


Use tech/system/password to set new password.

Telnet, V1.0, 3Com NCD, 1996


                     -------------------------------
                     -     CELLplex    7000        -
                     -                             -
                     -  ATM     Backbone    Switch -
                     -------------------------------
Access level (read, write, admin):tech
Password: ****


CP7000 switch module - Main Menu:
   (1) SYS: Platform config ->
   (2) LEM: Lan Emulation ->
   (3) CON: Connections ->
   (4) STS: Statistics ->
   (5) DIA: Testing & Diagnostics ->
   (6) FTR: ATM features
   (7) LOG: Logout
   (8) VER: Version
   (9) FST: Fast Setup
  (10) DBG: Debug ->
[ '\' -Main,      '-' -Back in menus]
[ '=0'-To switch, '=n'-To i/f card n (1-4)]

Connection closed by foreign host.

Use (1)SYS\(1)SET\(2)PAS> to set new password.

Ok, now how about models 1000 and 3000 ?

:-) riku

--
    [ This .signature intentionally left blank ]

Current thread:

Re: 3Com switches - undocumented access level. Mike Richichi (May 05)
- Re: 3Com switches - undocumented access level. Doug Hughes (May 06)
- <Possible follow-ups>
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
  - Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
  - Re: 3Com switches - undocumented access level. Jean-Francois Malouin (May 06)
  - Re: 3Com switches - undocumented access level. Riku Meskanen (May 07)
    - dip 3.3.7 exploit jamez (May 07)
    - dip-3.3.7o exploit zef (May 07)
    - Re: 3Com switches - undocumented access level. Eric Monti (May 07)
    - Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
    - NSCA HTTPD (for Windows) bug. Renos (May 08)
    - 4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd Helmut Springer (May 08)
    - xterm exploit [TOG issue] Andrea Arcangeli (May 08)
  - BSDI 3.1/Squid Default Owner Jonathan A. Zdziarski (May 07)
- Re: 3Com switches - undocumented access level. Toh Chang Ying (May 08)
- Re: 3Com switches - undocumented access level. Aleph One (May 08)

(Thread continues...)