Bay networks unpassworded "User" account

Summary

Description:	Unless they sysadmins change it (they should!), bay networkds access node/wellfleet routers have a "User" account for ftp/telnet access with no password. The Manager account also ships w/o a password, but that is more likely to be changed.
Author:	Marty Rigaletto <marty@SLACK.NET>
Compromise:	Read valuable configuration information, edit routing tables, etc.
Vulnerable Systems:	Networks using Bay Networks access node/wellfleet routers that haven't changed the default passwords.
Date:	10 May 1998
Notes:	Many products come w/o passwords with the assumption that they will be changed. This isn't really Bay Networks' fault, although perhaps the "User" account isn't documented well enough.

Details

Date: Sun, 10 May 1998 00:58:37 -0400
From: Marty Rigaletto <marty@SLACK.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bay Networks Security Hole

vendor: bay networks
product: bay access node/wellfleet routers

Ok, in this day and age it is becomming increasingly difficult for the
low-level, system cracker, bottom feeders who frequent the net to
gain access to larger corporate and government sites due to firewall
implementation, so I'm posting this to help the administrators
stay one step ahead.

The problem with the bay boxes is that by default the two system accounts
on the machine are not passworded. Now, usually the "Manager" account
on the machine is passworded by the administrator, however, the "User"
account is often left untouched. While the "User" account has restricted
access, it can be a huge security hole, especially when these machines are
used for the purposes of IP filtering (a firewall).

Because the bay machines have snmp configuration capabilities, anyone
knowing the snmp string for the machine or snmp community could edit
routing tables and IP filtering rules with any snmp management software or
the bay networks software they put out for solaris and just recently NT.

All a proposed attacker would have to do is telnet to the router, login
as "User", and issue a single command, "sho snmp community". Then adjust
his or her snmp software to use that string and IP address, and b00m,
sucks to be you.

recommended fix: uhh..password "User"

- Marty Rigaletto

   "On the bulletin boards nobody knew if you attended a special
    school."

           - d. freedman (from "At Large", in regards to Phantomd)
Date: Sun, 10 May 1998 11:02:41 -0400
From: Jason Ackley <jason@VIACCESS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Bay Networks Security Hole

On Sun, 10 May 1998, Marty Rigaletto wrote:

> vendor: bay networks
> product: bay access node/wellfleet routers

> on the machine is passworded by the administrator, however, the "User"
> account is often left untouched. While the "User" account has restricted

 This is something I mentioned to them about 1yr ago, with no word /
 response..

 Even if the box is not doing filtering and such, the 'User' Account can
be used to ftp into the Bay router (they run ftp daemons), download the
configuration file (yes, I have done this many times..), and then read it
into their Managment program, in which you will have the snmp read/write
strings to do whatever you want with! Basically if the 'User' account is
open, the router can be taken over with very little effort..Once you load
up the config file into the managment console, you could toggle T1s, down
interfaces, reset BGP tables, capture packets.. You name it.

It would be wise to make it where the 'User' account cannot ftp in, or
cannot read the contents of the flash card..

Here is a sample random-bay-router-on-the-net(IP addr changed of course):

llama:/usr/home/jason/doc# ftp 1.3.3.3
Connected to 1.3.3.3.
220 WfFTP server(x12.00) ready.
Name (1.3.3.3:jason): User
230 User User logged in.
ftp> bin
200  Type set to I.
ftp> get config
local: config remote: config
200  PORT command successful.
150  Image data connection for 2:config (1.3.3.3,20) (50140 bytes).
226  Binary Transfer Complete.
50140 bytes received in 2.01 seconds (24909 bytes/s)
ftp> ls
200  PORT command successful.
150  ASCII data connection for 2: (1.3.3.3,0) (0 bytes).

 Volume - drive 2:
 Directory of 2:

File Name             Size    Date     Day      Time
------------------------------------------------------
config.isp           45016  08/22/97  Fri.    17:05:51
startup.cfg           7472  08/24/97  Sun.    23:31:31
asnboot.exe         237212  08/24/97  Sun.    23:31:41
asndiag.exe         259268  08/24/97  Sun.    23:32:28
debug.al             12372  08/24/97  Sun.    23:33:17
ti_asn.cfg             504  08/24/97  Sun.    23:33:31
install.bat         189114  08/24/97  Sun.    23:33:41
config               50140  04/20/98  Mon.    22:08:01

 4194304 bytes - Total size
 3375190 bytes - Available free space
 3239088 bytes - Contiguous free space

226  ASCII Transfer Complete.
ftp> quit
221 Goodbye.

I have no idea what the current firmware rev is, as my current duties have
me away from Bay products, but in this example, the firmware was 12.00 it
looks like.. (This was testing 'just now').

> All a proposed attacker would have to do is telnet to the router, login
> as "User", and issue a single command, "sho snmp community". Then adjust
> his or her snmp software to use that string and IP address, and b00m,
> sucks to be you.

 As far as I knew, the User level could not see the read/write string, but
I could be outdated..But as shown above, you can get the config file using
a standard FTP client :)

The Fix? Well, as I said , tighten down what the 'User Level' account can
do, and leave things such as ftpd turned off by default. Of course,
removing the 'User' account would be a good idea too, as not too many
people use it and even more people are not even aware of it..

Cheers,

--
Jason Ackley           jason@ackley.net
UNIX Systems Consultant
     "Learn UNIX and mingle with the gods.."
Date: Mon, 11 May 1998 15:37:00 +0100
From: Berislav Todorovic <BERI@ETF.BG.AC.YU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Bay Networks Security Hole

>> > vendor: bay networks
>> > product: bay access node/wellfleet routers

Our local BayNetworks representative - COMNET (http://www.comnet.co.yu/)
forwarded to me the following recommendations:

* FTP Daemon on the router is not enabled by default - it's good to
  leave that untouched.

* If the User level has to be made publically available, don't install
  snmp.bat on the flash image, or at least don't make it available to
  the User account. This would disallow command "show snmp" at all.

* Restrict TELNET access and especially TFTP access to the router to
  certain sites on the network only, by applying appropriate filters!

Best regards,
Beri

.-------.
| --+-- |  Berislav Todorovic, B.Sc.E.E.     | E-mail: BERI@etf.bg.ac.yu
|  /|\     Hostmaster of the YU TLD          |
|-(-+-)-|  School of Electrical Engineering  | Phone:  (+381-11) 3221-419
|  \|/     Bulevar Revolucije 73             |                   3370-106
| --+-- |  11000 Belgrade SERBIA, YUGOSLAVIA | Fax:    (+381-11) 3248-681
`-------' --------------------------------------------------------------------

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: