[8777] in bugtraq

home help back first fref pref prev next nref lref last post

3Com HiperARC "adm" user. WAS:RE: Re: 3com

daemon@ATHENA.MIT.EDU (Mike Wronski)
Tue Dec 22 16:02:23 1998

Date: 	Tue, 22 Dec 1998 09:42:47 -0600
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Mike Wronski <mike@COREDUMP.AE.USR.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <199812211926.LAA27365@pop.thegrid.net>

|-----Original Message-----
|From: Bugtraq List [mailto:BUGTRAQ@netspace.org]On Behalf Of Entropy
|Sent: Monday, December 21, 1998 1:24 PM
|To: BUGTRAQ@netspace.org
|Subject: Fwd: Re: 3com
|
|
|  The software that 3com has developed for running the NMC (network
|management card) for the Total Control Hubs is a bit shady.

This has nothing to do with the NMC card. The "adm" user is on the HiperARC card.

|After uploading the software ( as one must do) YOU will notice a login
| account called "adm" with no password.
|  Naturally no one wants the "adm" login there, so they delete it from the
|configuration, and go on  programming the box. Once the box has been
| programmed and is ready to take calls, it is necessary to save all
|settings, and hardware reset the box, at this point the box is fully
|configured, and ready to
| take calls. The problem is this, the "adm" login requiring no password, is
| still there after the hardware reset!!! It cannot be deleted!
|     I have ran a trace route on over 37 ISP's, found there HD box's, and
|have been able to get
| into 21 of them through this security hole!


The 'adm' user is no different than the manage user on the older Netserver
product. Both are clearly described in the release notes that they come with no
password set.  This information is posted on the Totalservice along with the
4.1.11 code. (ftp://totalservice.usr.com/pub/.docs/config.txt)

The difference on the newer HARC cards is that you can add more manage users and
disable the adm if so desired.  The fact that people don't read documentation
when they install new software is the cause of this problem.

The latest release of code 4.1.72-7 (located on the Totalservice web site) has
the ability to delete the "adm" user and it will not come back after a reboot.

This posting does serve a purpose since it seem that many have overlooked this
and left themselves open.  Misconfiguration is often the cause of security
breach, but I wouldn't call this a hole. Hopefully those that overlooked this
will at least read the release notes next time. Since the manual is out of the
question. :).


|       The admin that programmed the box has no reason to go back into the
|configuration after doing the
|hardware reset, he has already gone over and double checked his settings,
|they all looked good, and hardware reset has gone into action as the last
|step.., he has no clue that the "adm" he has deleted is still there, and
|active.
|      In order to stop the "adm" login one can only dis-able the "adm"
| login, not delete it....this is the only way to stop the login.



| I have tested this on the current, and last 3 releases of software put out
| by 3com for the NMC card.  3Com has been notified.

Once again. No such password exists on the NMC. It is a item on the HARC.


---------------------------------------------------------
Mike Wronski (mike@coredump.ae.usr.com)
Rogue 3Com Network Systems Engineer / BETA Engineer
PGP:http://coredump.ae.usr.com/pgp
"If at first you do succeed, try not to look astonished."

home help back first fref pref prev next nref lref last post