Bugtraq mailing list archives
Re: 3Com switches - undocumented access level.
From: mesrik () cc jyu fi (Riku Meskanen)
Date: Thu, 7 May 1998 21:56:26 +0300
On Wed, 6 May 1998, Durval Menezes wrote:
Hello,PROBLEM: There appears to be a backdoor/undocumented "access level" in current (and possibly previous) versions of 3Com's "intelligent" and "extended" switching software for LanPlex/Corebuilder switches.Just checked my 3Com Superstack II intelligent hub and Switches (they have a similar Telnet interface) and they appear NOT to have this backdoor (humm, or does the backdoor use a different username/password? I wonder...)
No but unfortunately there is another "tech" user that took me only about 20min to dig out from compressed image. Same pair works for CellPlex 7000 :( The username is tech, as is the password. I'll think that 3Com should be informed to release a security advisory ASAP. Telnet, V1.0, 3Com NCD, 1996 LinkSwitch 2700 Rev 1.0 Software version Ver. 3.50 - Built Sep 11 1997 11:21:13 Select access level (read, write, admin): tech Password: **** LinkSwitch 2700 Rev 1.0 Administration Console Accessed at tech access level. main menu: ========== [1] system - Administer System level functions -> [2] ethernet - Administer Ethernet ports -> [3] bridge - Administer Bridging -> [4] atm - Administer ATM resources -> [5] le - Administer LAN Emulation Clients -> [6] vns - Administer Virtual Networks configuration -> [7] management - Administer IP and SNMP -> [8] quit - Logout of the administration console [9] fast - Fast Setup [10] tech - Special technician options -> '\' - Main menu '-' - Prev menu
quiConnection closed by foreign host.
Use tech/system/password to set new password. Telnet, V1.0, 3Com NCD, 1996 ------------------------------- - CELLplex 7000 - - - - ATM Backbone Switch - ------------------------------- Access level (read, write, admin):tech Password: **** CP7000 switch module - Main Menu: (1) SYS: Platform config -> (2) LEM: Lan Emulation -> (3) CON: Connections -> (4) STS: Statistics -> (5) DIA: Testing & Diagnostics -> (6) FTR: ATM features (7) LOG: Logout (8) VER: Version (9) FST: Fast Setup (10) DBG: Debug -> [ '\' -Main, '-' -Back in menus] [ '=0'-To switch, '=n'-To i/f card n (1-4)]
7
Connection closed by foreign host. Use (1)SYS\(1)SET\(2)PAS> to set new password. Ok, now how about models 1000 and 3000 ? :-) riku -- [ This .signature intentionally left blank ]
Current thread:
- Re: 3Com switches - undocumented access level. Mike Richichi (May 05)
- Re: 3Com switches - undocumented access level. Doug Hughes (May 06)
- <Possible follow-ups>
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Jean-Francois Malouin (May 06)
- Re: 3Com switches - undocumented access level. Riku Meskanen (May 07)
- dip 3.3.7 exploit jamez (May 07)
- dip-3.3.7o exploit zef (May 07)
- Re: 3Com switches - undocumented access level. Eric Monti (May 07)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- NSCA HTTPD (for Windows) bug. Renos (May 08)
- 4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd Helmut Springer (May 08)
- xterm exploit [TOG issue] Andrea Arcangeli (May 08)
- BSDI 3.1/Squid Default Owner Jonathan A. Zdziarski (May 07)
- Re: 3Com switches - undocumented access level. Toh Chang Ying (May 08)
- Re: 3Com switches - undocumented access level. Aleph One (May 08)