[6726] in bugtraq
Re: 3Com switches - undocumented access level.)
daemon@ATHENA.MIT.EDU (Aleph One)
Sun May 10 16:31:26 1998
Date: Sun, 10 May 1998 14:41:37 -0500
Reply-To: Aleph One <aleph1@NATIONWIDE.NET>
From: Aleph One <aleph1@NATIONWIDE.NET>
To: BUGTRAQ@NETSPACE.ORG
Summary of multiple posts on the subject:
Riku Meskanen <mesrik@cc.jyu.fi>
LanPlex2500/Corebuilder
- login: debug
- password: synnet
LinkSwitch 2700, SuperStack 2700, CellPlex 7000
- login: tech
- password: tech
SuperStack II 1000 ja SuperStack II 3000
- login: monitor
- password: monitor
Joel Moses <jmoses@dttus.com>
CoreBuilder 7000-series has the problem. It is safe to change that
password on this model. Please note that if you have multiple management
cards, each one will have the password enabled.
Philippe Regnauld <regnauld@deepo.prosa.dk>
Netbuilder 2xx (v. SW/NBRO-AB,9.1): Nothing so far.
James Robertson <james@hal.utmb.edu>
I have checked Netbulder Version 8.4 up to 10.1. None of these versions
have a backdoor that I know of. I also scanned the boot images for any
hints, none found so far.
Also, Superstack II Switch 1100, 3000, 3300 do not have the 'tech'
backdoor nor does a scan of the boot image show any hints of the same.
There is another way to gain access to a Netbuilder. All 3Com Netbuilders
support a remote command. The remote command comes with RBCS ( Remote Boot
and Configuration Services ) and Transcend Management Suite.
If you are root on a Netbuilder and know the address of someone elses
Netbuilder you can remote to their Netbuiler from yours and gain root
privelages.
Fix:
Under System Options, Limit remote access connections to a single station
or single subnet.
SHow -SYS RemoteManager
===============================================
Remote-In allowed from the following addresses:
your.ip.subnet.here your.ip.addr.here
===============================================
Adam Spiers <adam@thelonious.new.ox.ac.uk>
My LANplex 2500 seems vulnerable:
LANplex 2500 (rev 6.20) - System ID 049bff
Software version 4.3.0-7 - Built 11/10/95 03:49:46 PM
The debug user id is clearly visible in an ASCII dump of the 4.3.0-20
image downloadable from ftp.3com.com.
