|Description:||Numerous 3com products apparently have secret backdoors in case the administrator "forgets the password". Yeah, there is a good idea. BIOS vendors have the annoying habit of making passwords useless the same way, but at least there the attacker needs physical access. With 3com the attacker can telnet over to your network from bis.bg in Sofiya, Bulgaria and reconfigure your routers!|
|Author:||Eric Monti <monti@MAIL.NETURAL.COM> and others|
|Compromise:||Intruders can reconfigure and basically take over your switches|
|Vulnerable Systems:||Many 3com products have various backdoors including: LanPlex/Corebuilder switches, 3Com LANplex 2500 , CellPlex 7000|
|Date:||5 May 1998|
|Notes:||Another post I appended notes that admin passwords and SNMP keys are available vi the "public" SNMP community by default.|
Date: Tue, 5 May 1998 12:33:09 -0500 From: Eric Monti <monti@MAIL.NETURAL.COM> To: BUGTRAQ@NETSPACE.ORG Subject: 3Com switches - undocumented access level. I dont know if this is known or documented elsewhere but it took me by suprise, so here goes. The recent posts about the rcon user in quake servers have reminded me that I still havent heard back from 3Com about the following "feature". My experience has shown that switches are not as much missle chucking fun as quake, but that isnt to say you cant play games on one. <hyuk> PROBLEM: There appears to be a backdoor/undocumented "access level" in current (and possibly previous) versions of 3Com's "intelligent" and "extended" switching software for LanPlex/Corebuilder switches. In addition to the "admin", "read", and "write" accounts, there is a "debug" account with a password of "synnet" on shipped images (including those available for download from infodeli.3com.com). The versions of firmware this was tested under include 7.0.1 and 8.1.1. The debug account appears to have all the privileges of the admin account plus some "debug" commands not available to any other ID. IMPACT: If you allow "remote administration" (telnet access), well... yeah. FIX: Login to the switch with the debug/synnet combo and use the "system password" command to change this to something non-default. You wont be able to change the password using the admin account. Date: Tue, 5 May 1998 15:13:53 -0400 From: Mike Richichi <mrichich@DRUNIVAC.DREW.EDU> To: BUGTRAQ@NETSPACE.ORG Subject: Re: 3Com switches - undocumented access level. -- Eric Monti wrote: > > PROBLEM: > There appears to be a backdoor/undocumented "access level" in current (and > possibly previous) versions of 3Com's "intelligent" and "extended" > switching software for LanPlex/Corebuilder switches. In addition to the > "admin", "read", and "write" accounts, there is a "debug" account with a > password of "synnet" on shipped images (including those available for > download from infodeli.3com.com). The versions of firmware this was tested > under include 7.0.1 and 8.1.1. The debug account appears to have all the > privileges of the admin account plus some "debug" commands not available > to any other ID. > > IMPACT: > If you allow "remote administration" (telnet access), well... yeah. > > FIX: > Login to the switch with the debug/synnet combo and use the "system > password" command to change this to something non-default. You wont be > able to change the password using the admin account. It's even worse than it first appears, BTW. Not only is this backdoor password there, but you can change all the other access passwords from the "debug" account without having to know the old passwords. So, someone can lock you out of your switch completely. In addition, they can get to the "underlying OS shell", which looks like a very fun place to completely screw things up. I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x and 8.x) and the CoreBuilder 3500 (ver 1.0.0.) I almost cried when I had a hardware failure and the 3Com tech told me about this backdoor. --Mike -------------------- Mike Richichi, Assistant Director, Drew University Academic Technology BC-COMPCEN, Madison, NJ 07940 +1 973 408 3840 FAX: +1 973 408 3995 mailto:email@example.com http://daniel.drew.edu/~mrichich "There are only two businesses who call their customers 'users'" -E. Tufte Date: Wed, 6 May 1998 16:28:06 -0400 From: Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca> To: BUGTRAQ@NETSPACE.ORG Subject: Re: 3Com switches - undocumented access level. On Wed, May 06, 1998 at 09:59:45AM -0300, Durval Menezes wrote: > Hello, > > Just checked my 3Com Superstack II intelligent hub and Switches (they have > a similar Telnet interface) and they appear NOT to have this backdoor > (humm, or does the backdoor use a different username/password? I wonder...) > > Best Regards, > -- > Durval Menezes (firstname.lastname@example.org, http://www.tmp.com.br/~durval) well, I can confirm that the 3Com LANplex 2500 (rev 7.15) with Version 7.0.1-19 - Built 01/17/97 02:41:17 PM is open to this backdoor...well, not anymore... ;) jf -- J.-F. Malouin, System/Network Manager, Email: <email@example.com> Brain Imaging Center, McGill U., 3801 University St, Montreal, Que., H3A 2B4 Voice:(514)398-8924, Fax:(514)398-8948, PGP: finger firstname.lastname@example.org "Reality is that which, when you stop believing in it, doesn't go away." PKD Date: Thu, 7 May 1998 21:56:26 +0300 From: Riku Meskanen <email@example.com> To: BUGTRAQ@NETSPACE.ORG Subject: Re: 3Com switches - undocumented access level. On Wed, 6 May 1998, Durval Menezes wrote: > Hello, > > > PROBLEM: > > There appears to be a backdoor/undocumented "access level" in current (and > > possibly previous) versions of 3Com's "intelligent" and "extended" > > switching software for LanPlex/Corebuilder switches. > > Just checked my 3Com Superstack II intelligent hub and Switches (they have > a similar Telnet interface) and they appear NOT to have this backdoor > (humm, or does the backdoor use a different username/password? I wonder...) > No but unfortunately there is another "tech" user that took me only about 20min to dig out from compressed image. Same pair works for CellPlex 7000 :( The username is tech, as is the password. I'll think that 3Com should be informed to release a security advisory ASAP. Telnet, V1.0, 3Com NCD, 1996 LinkSwitch 2700 Rev 1.0 Software version Ver. 3.50 - Built Sep 11 1997 11:21:13 Select access level (read, write, admin): tech Password: **** LinkSwitch 2700 Rev 1.0 Administration Console Accessed at tech access level. main menu: ==========  system - Administer System level functions ->  ethernet - Administer Ethernet ports ->  bridge - Administer Bridging ->  atm - Administer ATM resources ->  le - Administer LAN Emulation Clients ->  vns - Administer Virtual Networks configuration ->  management - Administer IP and SNMP ->  quit - Logout of the administration console  fast - Fast Setup  tech - Special technician options -> '\' - Main menu '-' - Prev menu > quiConnection closed by foreign host. Use tech/system/password to set new password. Telnet, V1.0, 3Com NCD, 1996 ------------------------------- - CELLplex 7000 - - - - ATM Backbone Switch - ------------------------------- Access level (read, write, admin):tech Password: **** CP7000 switch module - Main Menu: (1) SYS: Platform config -> (2) LEM: Lan Emulation -> (3) CON: Connections -> (4) STS: Statistics -> (5) DIA: Testing & Diagnostics -> (6) FTR: ATM features (7) LOG: Logout (8) VER: Version (9) FST: Fast Setup (10) DBG: Debug -> [ '\' -Main, '-' -Back in menus] [ '=0'-To switch, '=n'-To i/f card n (1-4)] > >7 Connection closed by foreign host. Use (1)SYS\(1)SET\(2)PAS> to set new password. Ok, now how about models 1000 and 3000 ? :-) riku -- [ This .signature intentionally left blank ] Date: Fri, 8 May 1998 11:35:56 -0500 From: Aleph One <firstname.lastname@example.org> To: BUGTRAQ@NETSPACE.ORG Subject: Re: 3Com switches - undocumented access level. This is a summary of a number of posts. Please, if you will be reporting a system as vulnerable or not always include the software version you are using. Peter Mount <email@example.com> mentions that his LinkSwitch does have the backdoor. His software version is: -> version VxWorks (for LinkSwitch 2000) version 5.0.2b. Kernel: WIND version 2.0. Made on Wed Dec 18 22:27:52 EST 1996. Boot line: pcmcia(0,0) f=0x20008 value = 33 = 0x21 = '!' Riku Meskanen <firstname.lastname@example.org> reports that the CellPlex 1000 doesn't seem to have the tech user backdoor. He fails to mention the software version. Alan Cox <email@example.com> mentions that when he worked for 3com there was no useful security contacts. The also states that 3com is divided into units. Each unit is very independent and will often use different code bases. So a given problem is likely to hit one section of 3com products only. Could someone check the following 3com products: Accessbuilder, Netbuilder. Aleph One / firstname.lastname@example.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Date: Sun, 10 May 1998 18:31:34 -0500 From: Michael Mittelstadt <meek@EXECPC.COM> To: BUGTRAQ@NETSPACE.ORG Subject: Re: 3Com switches - undocumented access level. [Quoth Sasha Egan] ] Sorry about this, I forgot to mention it.. ] ] To get the interview with the network tech at 3Com, I had to list myself ] as a primary contact...if you need any information from me: ] my phone number is (505) 861-4981 ] My pager is (505) 875-8866 ] just in case... It might also be worth mentioning to 3Com that the enterprise MIB (at least for the Corebuilder 3500) contains the passwords and the snmp keys for the box. If some poor sap sets their SNMP key to something guessable (like, oh, I dunno, 'public'), you can get the admin password and SNMP key with these: enterprises.synernetics.lanplex.lanplexSystemsMib.1.19.0 = "password" enterprises.synernetics.lanplex.lanplexSystemsMib.6.7.0 = "public" I don't know what the wisdom of putting the password in the MIB is. This is true with both software release 1.0 and 1.1 on the Corebuilder 3500. And since it's the synernetics enterprise MIB, it's my educated guess that this info is on other corebuilder and lanplex boxen. With release 1.0 on the corebuilder, I also had the misfortune of being able to reboot the box by sending a lot of UDP traffic to it's administrative port. Being paranoid, I ran netcat against it, wanting to know what ports it listened on. About 10 seconds later, it reboots. rel 1.1 seems more robust. IMHO, the Corebuilder 3500 just feels like a product that went out the door too fast to be early to market, without giving security or robustness enough of a thought. -- Michael Mittelstadt email@example.com VP - Internet Techologies ExecPC Internet http://www.execpc.com/~meek 1-800-ExecPC-1
Date: Sat, 9 May 1998 12:57:35 +0300
From: Riku Meskanen <firstname.lastname@example.org>
Subject: Re: 3Com switches - undocumented access level.)
On Fri, 8 May 1998, Aleph One wrote:
> Riku Meskanen <email@example.com> reports that the CellPlex 1000 doesn't > seem to have the tech user backdoor. He fails to mention the software > version.
Ehem, Model 1000 and 3000 are SuperStacks. There is no CellPlex 1000.
SuperStack 2700, formerly LinkSwitch 2700 (basically same stuff with little difference in chassis), is ethernet switch which can be equiped wit ATM interface.
CellPlex (model 7000 or newer 7000HD) is just a plain ATM-switch.
I'm sorry about my bad english which may have confused you.
About the versions. The LinkSwitch softare version tested (later sold as SuperStack 2700) was on my first post (shown on login screen), but here is it again.
LinkSwitch 2700 Rev 1.0
Software version Ver. 3.50 - Built Sep 11 1997 11:21:13
The CellPlex "(8) VER: Version" -option from main menu shows,
CELLplex Software Versions:
Switch Management version: 3.25
Internal Communication version: 3.2
I/F Control Card 1 version: Ver. 3.20 I/F Control Card 2 version: Ver. 3.20 4-PB FPGA Transmit version: 1.0 4-PB FPGA Receive version: 2.3 8-PB FPGA Transmit version: 3.2 8-PB FPGA Receive version: 3.2 ALC type: ALC_87 R&D version: 3.20N
DATE Feb 16 1997: TIME 23:17:24
I can also confirm that debug/synnet worked here for LANPlex2500 which system/display shows following.
LANplex 2500 (rev 7.19) - System ID 0bc906
Extended Switching Software
Version 7.0.1 - Built 06/12/96 05:48:41 PM
But then some new stuff :)
Q: Right, but how about SuperStack II Switch 1000, does it has
undocumented access level?
Hardware Version: 3 Upgradable Software Version: 3.21 Boot Software Version: 3.10
Q: Is the SuperStack II Switch 3000 also affected, as it's basically
same the same family line.
Hardware Version: 5 Upgradable Software Version: 3.10 Boot Software Version: 2.10
Q: How did you find these strings.
Extract the first file, ie. the lines begining with "S", then $ strings --target=srec sfile | less Or if you like to take a better view to the file you may $ objcopy -I srec -O binary sfile bfile to produce raw binary image in bfile.
The strings and obcopy are part of the GNU binutils.
Here is also some info how I did get the CellPlex 7000 and LinkSwitch 2700 strings if someone else would like to take a look.
You need the file ATMMAIN.SL (CellPlex 7000 tftp loadable image). You can find there is a standard PKZIP header beginning offset 0xE34.
00000e30 446d0008 1f8b0000 1f9e0000 504b0304 Dm..........PK.. 00000e40 00000000 0a206e6f 7420696e 20677a69 ..... not in gzi 00000e50 7020666f 726d6174 0a000000 00000000 p format........
Duh, "1f8b" following the standard PKZIP header shows clearly,
$ dd if=ATMMAIN.SL bs=`echo "ibase=16; E34;" | bc -q` skip=1 >fish.zip
145+1 records in
145+1 records out
$ unzip fish
warning [fish.zip]: 46300 extra bytes at beginning or within zipfile (attempting to process anyway)
replace ATMSW.STR? [y]es, [n]o, [A]ll, [N]one, [r]ename: A inflating: ATMSW.STR
You should not have any trouble locating the plain username and password strings from ATMSW.STR
Anybody still believe there is a product from 3Com that has no backdoor? <sigh>.
Riku Meskanen <firstname.lastname@example.org> also as: email@example.com, firstname.lastname@example.org, Systems and network administrator email@example.com, etc. University of Jyvaskyla Voice: +358 14 60 3580
PO-BOX 35, FI-40351 JYVASKYLA, Finland Fax: +358 14 60 3611
From aleph1@NATIONWIDE.NET Thu May 14 18:29:48 1998
Date: Sun, 10 May 1998 14:41:37 -0500
From: Aleph One <aleph1@NATIONWIDE.NET> To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.)
Summary of multiple posts on the subject:
Riku Meskanen <firstname.lastname@example.org>
- login: debug
- password: synnet
LinkSwitch 2700, SuperStack 2700, CellPlex 7000
- login: tech
- password: tech
SuperStack II 1000 ja SuperStack II 3000
- login: monitor
- password: monitor
Joel Moses <email@example.com>
CoreBuilder 7000-series has the problem. It is safe to change that password on this model. Please note that if you have multiple management cards, each one will have the password enabled.
Philippe Regnauld <firstname.lastname@example.org>
Netbuilder 2xx (v. SW/NBRO-AB,9.1): Nothing so far.
James Robertson <email@example.com>
I have checked Netbulder Version 8.4 up to 10.1. None of these versions have a backdoor that I know of. I also scanned the boot images for any hints, none found so far.
Also, Superstack II Switch 1100, 3000, 3300 do not have the 'tech' backdoor nor does a scan of the boot image show any hints of the same.
There is another way to gain access to a Netbuilder. All 3Com Netbuilders support a remote command. The remote command comes with RBCS ( Remote Boot and Configuration Services ) and Transcend Management Suite.
If you are root on a Netbuilder and know the address of someone elses Netbuilder you can remote to their Netbuiler from yours and gain root privelages.
Under System Options, Limit remote access connections to a single station or single subnet.
SHow -SYS RemoteManager
Adam Spiers <firstname.lastname@example.org>
My LANplex 2500 seems vulnerable:
LANplex 2500 (rev 6.20) - System ID 049bff Software version 4.3.0-7 - Built 11/10/95 03:49:46 PM
The debug user id is clearly visible in an ASCII dump of the 4.3.0-20 image downloadable from ftp.3com.com.
|ULTRIX/Digital UNIX||HP/UX||SCO||Remote exploits|