Bay networks unpassworded "User" account
|Description:||Unless they sysadmins change it (they should!), bay networkds access node/wellfleet routers have a "User" account for ftp/telnet access with no password. The Manager account also ships w/o a password, but that is more likely to be changed.|
|Author:||Marty Rigaletto <marty@SLACK.NET>|
|Compromise:||Read valuable configuration information, edit routing tables, etc.|
|Vulnerable Systems:||Networks using Bay Networks access node/wellfleet routers that haven't changed the default passwords.|
|Date:||10 May 1998|
|Notes:||Many products come w/o passwords with the assumption that they will be changed. This isn't really Bay Networks' fault, although perhaps the "User" account isn't documented well enough.|
Date: Sun, 10 May 1998 00:58:37 -0400
From: Marty Rigaletto <marty@SLACK.NET>
Subject: Bay Networks Security Hole
vendor: bay networks
product: bay access node/wellfleet routers
Ok, in this day and age it is becomming increasingly difficult for the
low-level, system cracker, bottom feeders who frequent the net to
gain access to larger corporate and government sites due to firewall
implementation, so I'm posting this to help the administrators
stay one step ahead.
The problem with the bay boxes is that by default the two system accounts
on the machine are not passworded. Now, usually the "Manager" account
on the machine is passworded by the administrator, however, the "User"
account is often left untouched. While the "User" account has restricted
access, it can be a huge security hole, especially when these machines are
used for the purposes of IP filtering (a firewall).
Because the bay machines have snmp configuration capabilities, anyone
knowing the snmp string for the machine or snmp community could edit
routing tables and IP filtering rules with any snmp management software or
the bay networks software they put out for solaris and just recently NT.
All a proposed attacker would have to do is telnet to the router, login
as "User", and issue a single command, "sho snmp community". Then adjust
his or her snmp software to use that string and IP address, and b00m,
sucks to be you.
recommended fix: uhh..password "User"
- Marty Rigaletto
"On the bulletin boards nobody knew if you attended a special
- d. freedman (from "At Large", in regards to Phantomd)
Date: Sun, 10 May 1998 11:02:41 -0400
From: Jason Ackley <jason@VIACCESS.NET>
Subject: Re: Bay Networks Security Hole
On Sun, 10 May 1998, Marty Rigaletto wrote:
> vendor: bay networks
> product: bay access node/wellfleet routers
> on the machine is passworded by the administrator, however, the "User"
> account is often left untouched. While the "User" account has restricted
This is something I mentioned to them about 1yr ago, with no word /
Even if the box is not doing filtering and such, the 'User' Account can
be used to ftp into the Bay router (they run ftp daemons), download the
configuration file (yes, I have done this many times..), and then read it
into their Managment program, in which you will have the snmp read/write
strings to do whatever you want with! Basically if the 'User' account is
open, the router can be taken over with very little effort..Once you load
up the config file into the managment console, you could toggle T1s, down
interfaces, reset BGP tables, capture packets.. You name it.
It would be wise to make it where the 'User' account cannot ftp in, or
cannot read the contents of the flash card..
Here is a sample random-bay-router-on-the-net(IP addr changed of course):
llama:/usr/home/jason/doc# ftp 220.127.116.11
Connected to 18.104.22.168.
220 WfFTP server(x12.00) ready.
Name (22.214.171.124:jason): User
230 User User logged in.
200 Type set to I.
ftp> get config
local: config remote: config
200 PORT command successful.
150 Image data connection for 2:config (126.96.36.199,20) (50140 bytes).
226 Binary Transfer Complete.
50140 bytes received in 2.01 seconds (24909 bytes/s)
200 PORT command successful.
150 ASCII data connection for 2: (188.8.131.52,0) (0 bytes).
Volume - drive 2:
Directory of 2:
File Name Size Date Day Time
config.isp 45016 08/22/97 Fri. 17:05:51
startup.cfg 7472 08/24/97 Sun. 23:31:31
asnboot.exe 237212 08/24/97 Sun. 23:31:41
asndiag.exe 259268 08/24/97 Sun. 23:32:28
debug.al 12372 08/24/97 Sun. 23:33:17
ti_asn.cfg 504 08/24/97 Sun. 23:33:31
install.bat 189114 08/24/97 Sun. 23:33:41
config 50140 04/20/98 Mon. 22:08:01
4194304 bytes - Total size
3375190 bytes - Available free space
3239088 bytes - Contiguous free space
226 ASCII Transfer Complete.
I have no idea what the current firmware rev is, as my current duties have
me away from Bay products, but in this example, the firmware was 12.00 it
looks like.. (This was testing 'just now').
> All a proposed attacker would have to do is telnet to the router, login
> as "User", and issue a single command, "sho snmp community". Then adjust
> his or her snmp software to use that string and IP address, and b00m,
> sucks to be you.
As far as I knew, the User level could not see the read/write string, but
I could be outdated..But as shown above, you can get the config file using
a standard FTP client :)
The Fix? Well, as I said , tighten down what the 'User Level' account can
do, and leave things such as ftpd turned off by default. Of course,
removing the 'User' account would be a good idea too, as not too many
people use it and even more people are not even aware of it..
Jason Ackley firstname.lastname@example.org
UNIX Systems Consultant
"Learn UNIX and mingle with the gods.."
Date: Mon, 11 May 1998 15:37:00 +0100
From: Berislav Todorovic <BERI@ETF.BG.AC.YU>
Subject: Re: Bay Networks Security Hole
>> > vendor: bay networks
>> > product: bay access node/wellfleet routers
Our local BayNetworks representative - COMNET (http://www.comnet.co.yu/)
forwarded to me the following recommendations:
* FTP Daemon on the router is not enabled by default - it's good to
leave that untouched.
* If the User level has to be made publically available, don't install
snmp.bat on the flash image, or at least don't make it available to
the User account. This would disallow command "show snmp" at all.
* Restrict TELNET access and especially TFTP access to the router to
certain sites on the network only, by applying appropriate filters!
| --+-- | Berislav Todorovic, B.Sc.E.E. | E-mail: BERI@etf.bg.ac.yu
| /|\ Hostmaster of the YU TLD |
|-(-+-)-| School of Electrical Engineering | Phone: (+381-11) 3221-419
| \|/ Bulevar Revolucije 73 | 3370-106
| --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA | Fax: (+381-11) 3248-681
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:
[ Nmap |
Sec Tools |
Mailing Lists |
Site News |