Backdoor passwords in 3com switches,routers,smart hubs.

Summary
Description:Numerous 3com products apparently have secret backdoors in case the administrator "forgets the password". Yeah, there is a good idea. BIOS vendors have the annoying habit of making passwords useless the same way, but at least there the attacker needs physical access. With 3com the attacker can telnet over to your network from bis.bg in Sofiya, Bulgaria and reconfigure your routers!
Author:Eric Monti <monti@MAIL.NETURAL.COM> and others
Compromise:Intruders can reconfigure and basically take over your switches
Vulnerable Systems:Many 3com products have various backdoors including: LanPlex/Corebuilder switches, 3Com LANplex 2500 , CellPlex 7000
Date:5 May 1998
Notes:Another post I appended notes that admin passwords and SNMP keys are available vi the "public" SNMP community by default.
Details


Date: Tue, 5 May 1998 12:33:09 -0500
From: Eric Monti <monti@MAIL.NETURAL.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: 3Com switches - undocumented access level.

I dont know if this is known or documented elsewhere but it took me by
suprise, so here goes.

The recent posts about the rcon user in quake servers have reminded me
that I still havent heard back from 3Com about the following "feature". My
experience has shown that switches are not as much missle chucking fun as
quake, but that isnt to say you cant play games on one. <hyuk>

PROBLEM:
There appears to be a backdoor/undocumented "access level" in current (and
possibly previous) versions of 3Com's "intelligent" and "extended"
switching software for LanPlex/Corebuilder switches. In addition to the
"admin", "read", and "write" accounts, there is a "debug" account with a
password of "synnet" on shipped images (including those available for
download from infodeli.3com.com). The versions of firmware this was tested
under include 7.0.1 and 8.1.1. The debug account appears to have all the
privileges of the admin account plus some "debug" commands not available
to any other ID.

IMPACT:
If you allow "remote administration" (telnet access), well... yeah.

FIX:
Login to the switch with the debug/synnet combo and use the "system
password" command to change this to something non-default. You wont be
able to change the password using the admin account.
Date: Tue, 5 May 1998 15:13:53 -0400
From: Mike Richichi <mrichich@DRUNIVAC.DREW.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.

--

Eric Monti wrote:
>

> PROBLEM:
> There appears to be a backdoor/undocumented "access level" in current (and
> possibly previous) versions of 3Com's "intelligent" and "extended"
> switching software for LanPlex/Corebuilder switches. In addition to the
> "admin", "read", and "write" accounts, there is a "debug" account with a
> password of "synnet" on shipped images (including those available for
> download from infodeli.3com.com). The versions of firmware this was tested
> under include 7.0.1 and 8.1.1. The debug account appears to have all the
> privileges of the admin account plus some "debug" commands not available
> to any other ID.
>
> IMPACT:
> If you allow "remote administration" (telnet access), well... yeah.
>
> FIX:
> Login to the switch with the debug/synnet combo and use the "system
> password" command to change this to something non-default. You wont be
> able to change the password using the admin account.

It's even worse than it first appears, BTW.  Not only is this backdoor password
there, but you can change all the other access passwords from the "debug"
account without having to know the old passwords.  So, someone can lock you out
of your switch completely.  In addition, they can get to the "underlying OS
shell", which looks like a very fun place to completely screw things up.

I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x
and 8.x) and the CoreBuilder 3500 (ver 1.0.0.)  I almost cried when I
had a hardware failure and the 3Com tech told me about this backdoor.

--Mike

--------------------
Mike Richichi, Assistant Director,     Drew University Academic Technology
BC-COMPCEN, Madison, NJ 07940        +1 973 408 3840  FAX: +1 973 408 3995
mailto:mrichich@drunivac.drew.edu         http://daniel.drew.edu/~mrichich
"There are only two businesses who call their customers 'users'" -E. Tufte
Date: Wed, 6 May 1998 16:28:06 -0400
From: Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.

On Wed, May 06, 1998 at 09:59:45AM -0300, Durval Menezes wrote:
> Hello,
>
> Just checked my 3Com Superstack II intelligent hub and Switches (they have
> a similar Telnet interface) and they appear NOT to have this backdoor
> (humm, or does the backdoor use a different username/password? I wonder...)
>
> Best Regards,
> --
>    Durval Menezes (durval@tmp.com.br, http://www.tmp.com.br/~durval)

well, I can confirm that the 3Com LANplex 2500 (rev 7.15)
with Version 7.0.1-19 - Built 01/17/97 02:41:17 PM
is open to this backdoor...well, not anymore... ;)

jf
--
J.-F. Malouin, System/Network Manager,      Email: <malin@bic.mni.mcgill.ca>
Brain Imaging Center, McGill U., 3801 University St, Montreal, Que., H3A 2B4
Voice:(514)398-8924, Fax:(514)398-8948, PGP:  finger malin@bic.mni.mcgill.ca
"Reality is that which, when you stop believing in it, doesn't go away." PKD
Date: Thu, 7 May 1998 21:56:26 +0300
From: Riku Meskanen <mesrik@cc.jyu.fi>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.

On Wed, 6 May 1998, Durval Menezes wrote:
> Hello,
>
> > PROBLEM:
> > There appears to be a backdoor/undocumented "access level" in current (and
> > possibly previous) versions of 3Com's "intelligent" and "extended"
> > switching software for LanPlex/Corebuilder switches.
>
> Just checked my 3Com Superstack II intelligent hub and Switches (they have
> a similar Telnet interface) and they appear NOT to have this backdoor
> (humm, or does the backdoor use a different username/password? I wonder...)
>
No but unfortunately there is another "tech" user that took me
only about 20min to dig out from compressed image. Same pair
works for CellPlex 7000 :(

The username is tech, as is the password.

I'll think that 3Com should be informed to release a security
advisory ASAP.

Telnet, V1.0, 3Com NCD, 1996

LinkSwitch 2700 Rev 1.0
Software version Ver.  3.50  - Built Sep 11 1997 11:21:13

Select access level (read, write, admin): tech
Password: ****

LinkSwitch 2700 Rev 1.0 Administration Console
Accessed at tech access level.

main menu:
==========
   [1] system        - Administer System level functions ->
   [2] ethernet      - Administer Ethernet ports ->
   [3] bridge        - Administer Bridging ->
   [4] atm           - Administer ATM resources ->
   [5] le            - Administer LAN Emulation Clients ->
   [6] vns           - Administer Virtual Networks configuration ->
   [7] management    - Administer IP and SNMP ->
   [8] quit          - Logout of the administration console
   [9] fast          - Fast Setup
  [10] tech          - Special technician options ->

'\' - Main menu   '-' - Prev menu
> quiConnection closed by foreign host.

Use tech/system/password to set new password.

Telnet, V1.0, 3Com NCD, 1996


                     -------------------------------
                     -     CELLplex    7000        -
                     -                             -
                     -  ATM     Backbone    Switch -
                     -------------------------------
Access level (read, write, admin):tech
Password: ****


CP7000 switch module - Main Menu:
   (1) SYS: Platform config ->
   (2) LEM: Lan Emulation ->
   (3) CON: Connections ->
   (4) STS: Statistics ->
   (5) DIA: Testing & Diagnostics ->
   (6) FTR: ATM features
   (7) LOG: Logout
   (8) VER: Version
   (9) FST: Fast Setup
  (10) DBG: Debug ->
[ '\' -Main,      '-' -Back in menus]
[ '=0'-To switch, '=n'-To i/f card n (1-4)]
>
>7
Connection closed by foreign host.

Use (1)SYS\(1)SET\(2)PAS> to set new password.

Ok, now how about models 1000 and 3000 ?

:-) riku

--
    [ This .signature intentionally left blank ]
Date: Fri, 8 May 1998 11:35:56 -0500
From: Aleph One <aleph1@nationwide.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.

This is a summary of a number of posts. Please, if you will be reporting
a system as vulnerable or not always include the software version you are
using.

Peter Mount <peter@maidstone.gov.uk> mentions that his LinkSwitch does
have the backdoor. His software version is:

-> version
VxWorks (for LinkSwitch 2000) version 5.0.2b.
Kernel: WIND version 2.0.
Made on Wed Dec 18 22:27:52 EST 1996.
Boot line:
pcmcia(0,0) f=0x20008
value = 33 = 0x21 = '!'

Riku Meskanen <mesrik@cc.jyu.fi> reports that the CellPlex 1000 doesn't
seem to have the tech user backdoor. He fails to mention the software
version.

Alan Cox <alan@lxorguk.ukuu.org.uk> mentions that when he worked for 3com
there was no useful security contacts. The also states that 3com is
divided into units. Each unit is very independent and will often use
different code bases. So a given problem is likely to hit one section of
3com products only.

Could someone check the following 3com products: Accessbuilder,
Netbuilder.

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Date: Sun, 10 May 1998 18:31:34 -0500
From: Michael Mittelstadt <meek@EXECPC.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.

[Quoth Sasha Egan]
] Sorry about this, I forgot to mention it..
]
] To get the interview with the network tech at 3Com, I had to list myself
] as a primary contact...if you need any information from me:
] my phone number is (505) 861-4981
] My pager is (505) 875-8866
] just in case...

It might also be worth mentioning to 3Com that the enterprise MIB (at
least for the Corebuilder 3500) contains the passwords and the snmp
keys for the box.  If some poor sap sets their SNMP key to something
guessable (like, oh, I dunno, 'public'), you can get the admin
password and SNMP key with these:

enterprises.synernetics.lanplex.lanplexSystemsMib.1.19.0 = "password"
enterprises.synernetics.lanplex.lanplexSystemsMib.6.7.0 = "public"

I don't know what the wisdom of putting the password in the MIB is.

This is true with both software release 1.0 and 1.1 on the Corebuilder
3500.  And since it's the synernetics enterprise MIB, it's my educated
guess that this info is on other corebuilder and lanplex boxen.

With release 1.0 on the corebuilder, I also had the misfortune of
being able to reboot the box by sending a lot of UDP traffic to it's
administrative port.  Being paranoid, I ran netcat against it, wanting
to know what ports it listened on.  About 10 seconds later, it
reboots.  rel 1.1 seems more robust.

IMHO, the Corebuilder 3500 just feels like a product that went out the
door too fast to be early to market, without giving security or
robustness enough of a thought.

--
Michael Mittelstadt           meek@execpc.com
VP - Internet Techologies     ExecPC Internet
http://www.execpc.com/~meek   1-800-ExecPC-1

Date: Sat, 9 May 1998 12:57:35 +0300
From: Riku Meskanen <mesrik@cc.jyu.fi>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.)

On Fri, 8 May 1998, Aleph One wrote:
> Riku Meskanen <mesrik@cc.jyu.fi> reports that the CellPlex 1000 doesn't > seem to have the tech user backdoor. He fails to mention the software > version.
>
Ehem, Model 1000 and 3000 are SuperStacks. There is no CellPlex 1000.

SuperStack 2700, formerly LinkSwitch 2700 (basically same stuff with little difference in chassis), is ethernet switch which can be equiped wit ATM interface.

CellPlex (model 7000 or newer 7000HD) is just a plain ATM-switch.

I'm sorry about my bad english which may have confused you.

About the versions. The LinkSwitch softare version tested (later sold as SuperStack 2700) was on my first post (shown on login screen), but here is it again.

LinkSwitch 2700 Rev 1.0
Software version Ver. 3.50 - Built Sep 11 1997 11:21:13

The CellPlex "(8) VER: Version" -option from main menu shows,

CELLplex Software Versions:

Switch Management version: 3.25
Internal Communication version: 3.2

  I/F Control Card 1 version:     Ver.  3.20
  I/F Control Card 2 version:     Ver.  3.20
  4-PB FPGA Transmit version:     1.0
  4-PB FPGA Receive  version:     2.3
  8-PB FPGA Transmit version:     3.2
  8-PB FPGA Receive  version:     3.2
  ALC type:                       ALC_87
  R&D version:                    3.20N

DATE Feb 16 1997: TIME 23:17:24

I can also confirm that debug/synnet worked here for LANPlex2500 which system/display shows following.

LANplex 2500 (rev 7.19) - System ID 0bc906 Extended Switching Software
Version 7.0.1 - Built 06/12/96 05:48:41 PM

But then some new stuff :)

Q: Right, but how about SuperStack II Switch 1000, does it has

undocumented access level?

  1. Yes, try username "monitor", with password "monitor".

Version Numbers

        Hardware Version:                       3
        Upgradable Software Version:            3.21
        Boot Software Version:                  3.10

Q: Is the SuperStack II Switch 3000 also affected, as it's basically

same the same family line.

  1. Yes, try same username/password pair monitor/monitor. The tested system has version information.

Version Numbers

        Hardware Version:                       5
        Upgradable Software Version:            3.10
        Boot Software Version:                  2.10

Q: How did you find these strings.

  1. There are two Motorola S format (srec) files in LS1K3_10.SLX (software for SuperStack II 1000) and LS3K3_10.SLX (software for SuperStack II 3000).
     Extract the first file, ie. the lines begining
     with "S", then

     $ strings --target=srec sfile | less

     Or if you like to take a better view to the file
     you may

     $ objcopy -I srec -O binary sfile bfile

     to produce raw binary image in bfile.

The strings and obcopy are part of the GNU binutils.

Here is also some info how I did get the CellPlex 7000 and LinkSwitch 2700 strings if someone else would like to take a look.

You need the file ATMMAIN.SL (CellPlex 7000 tftp loadable image). You can find there is a standard PKZIP header beginning offset 0xE34.

00000e30 446d0008 1f8b0000 1f9e0000 504b0304 Dm..........PK.. 00000e40 00000000 0a206e6f 7420696e 20677a69 ..... not in gzi 00000e50 7020666f 726d6174 0a000000 00000000 p format........

Duh, "1f8b" following the standard PKZIP header shows clearly,

$ dd if=ATMMAIN.SL bs=`echo "ibase=16; E34;" | bc -q` skip=1 >fish.zip 145+1 records in
145+1 records out
$ unzip fish
Archive: fish.zip
warning [fish.zip]: 46300 extra bytes at beginning or within zipfile (attempting to process anyway)
replace ATMSW.STR? [y]es, [n]o, [A]ll, [N]one, [r]ename: A inflating: ATMSW.STR
$

You should not have any trouble locating the plain username and password strings from ATMSW.STR

Anybody still believe there is a product from 3Com that has no backdoor? <sigh>.

:-) riku

--

Riku Meskanen <mesrik@cc.jyu.fi>     also as: root@jyu.fi, hostmaster@jyu.fi,
Systems and network administrator             hostmaster@co.jyu.fi, etc.
University of Jyvaskyla                Voice: +358 14 60 3580

PO-BOX 35, FI-40351 JYVASKYLA, Finland Fax: +358 14 60 3611 From aleph1@NATIONWIDE.NET Thu May 14 18:29:48 1998 Date: Sun, 10 May 1998 14:41:37 -0500
From: Aleph One <aleph1@NATIONWIDE.NET> To: BUGTRAQ@NETSPACE.ORG
Subject: Re: 3Com switches - undocumented access level.)

Summary of multiple posts on the subject:

Riku Meskanen <mesrik@cc.jyu.fi>

LanPlex2500/Corebuilder
- login: debug
- password: synnet

LinkSwitch 2700, SuperStack 2700, CellPlex 7000 - login: tech
- password: tech

SuperStack II 1000 ja SuperStack II 3000 - login: monitor
- password: monitor

Joel Moses <jmoses@dttus.com>

CoreBuilder 7000-series has the problem. It is safe to change that password on this model. Please note that if you have multiple management cards, each one will have the password enabled.

Philippe Regnauld <regnauld@deepo.prosa.dk>

Netbuilder 2xx (v. SW/NBRO-AB,9.1): Nothing so far.

James Robertson <james@hal.utmb.edu>

I have checked Netbulder Version 8.4 up to 10.1. None of these versions have a backdoor that I know of. I also scanned the boot images for any hints, none found so far.

Also, Superstack II Switch 1100, 3000, 3300 do not have the 'tech' backdoor nor does a scan of the boot image show any hints of the same.

There is another way to gain access to a Netbuilder. All 3Com Netbuilders support a remote command. The remote command comes with RBCS ( Remote Boot and Configuration Services ) and Transcend Management Suite.

If you are root on a Netbuilder and know the address of someone elses Netbuilder you can remote to their Netbuiler from yours and gain root privelages.

Fix:
Under System Options, Limit remote access connections to a single station or single subnet.

SHow -SYS RemoteManager


Remote-In allowed from the following addresses:

your.ip.subnet.here your.ip.addr.here


Adam Spiers <adam@thelonious.new.ox.ac.uk>

My LANplex 2500 seems vulnerable:

LANplex 2500 (rev 6.20) - System ID 049bff Software version 4.3.0-7 - Built 11/10/95 03:49:46 PM

The debug user id is clearly visible in an ASCII dump of the 4.3.0-20 image downloadable from ftp.3com.com.


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault