[6692] in bugtraq
Re: 3Com switches - undocumented access level.
daemon@ATHENA.MIT.EDU (Riku Meskanen)
Thu May 7 18:01:17 1998
Date: Thu, 7 May 1998 21:56:26 +0300
Reply-To: Riku Meskanen <mesrik@cc.jyu.fi>
From: Riku Meskanen <mesrik@CC.JYU.FI>
X-To: Durval Menezes <durval@TMP.COM.BR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199805061259.JAA17757@liliput.tmp.com.br>
On Wed, 6 May 1998, Durval Menezes wrote:
> Hello,
>
> > PROBLEM:
> > There appears to be a backdoor/undocumented "access level" in current (and
> > possibly previous) versions of 3Com's "intelligent" and "extended"
> > switching software for LanPlex/Corebuilder switches.
>
> Just checked my 3Com Superstack II intelligent hub and Switches (they have
> a similar Telnet interface) and they appear NOT to have this backdoor
> (humm, or does the backdoor use a different username/password? I wonder...)
>
No but unfortunately there is another "tech" user that took me
only about 20min to dig out from compressed image. Same pair
works for CellPlex 7000 :(
The username is tech, as is the password.
I'll think that 3Com should be informed to release a security
advisory ASAP.
Telnet, V1.0, 3Com NCD, 1996
LinkSwitch 2700 Rev 1.0
Software version Ver. 3.50 - Built Sep 11 1997 11:21:13
Select access level (read, write, admin): tech
Password: ****
LinkSwitch 2700 Rev 1.0 Administration Console
Accessed at tech access level.
main menu:
==========
[1] system - Administer System level functions ->
[2] ethernet - Administer Ethernet ports ->
[3] bridge - Administer Bridging ->
[4] atm - Administer ATM resources ->
[5] le - Administer LAN Emulation Clients ->
[6] vns - Administer Virtual Networks configuration ->
[7] management - Administer IP and SNMP ->
[8] quit - Logout of the administration console
[9] fast - Fast Setup
[10] tech - Special technician options ->
'\' - Main menu '-' - Prev menu
> quiConnection closed by foreign host.
Use tech/system/password to set new password.
Telnet, V1.0, 3Com NCD, 1996
-------------------------------
- CELLplex 7000 -
- -
- ATM Backbone Switch -
-------------------------------
Access level (read, write, admin):tech
Password: ****
CP7000 switch module - Main Menu:
(1) SYS: Platform config ->
(2) LEM: Lan Emulation ->
(3) CON: Connections ->
(4) STS: Statistics ->
(5) DIA: Testing & Diagnostics ->
(6) FTR: ATM features
(7) LOG: Logout
(8) VER: Version
(9) FST: Fast Setup
(10) DBG: Debug ->
[ '\' -Main, '-' -Back in menus]
[ '=0'-To switch, '=n'-To i/f card n (1-4)]
>
>7
Connection closed by foreign host.
Use (1)SYS\(1)SET\(2)PAS> to set new password.
Ok, now how about models 1000 and 3000 ?
:-) riku
--
[ This .signature intentionally left blank ]
