Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: 3Com switches - undocumented access level.
From: mrichich () DRUNIVAC DREW EDU (Mike Richichi)
Date: Tue, 5 May 1998 15:13:53 -0400


--

Eric Monti wrote:


PROBLEM:
There appears to be a backdoor/undocumented "access level" in current (and
possibly previous) versions of 3Com's "intelligent" and "extended"
switching software for LanPlex/Corebuilder switches. In addition to the
"admin", "read", and "write" accounts, there is a "debug" account with a
password of "synnet" on shipped images (including those available for
download from infodeli.3com.com). The versions of firmware this was tested
under include 7.0.1 and 8.1.1. The debug account appears to have all the
privileges of the admin account plus some "debug" commands not available
to any other ID.

IMPACT:
If you allow "remote administration" (telnet access), well... yeah.

FIX:
Login to the switch with the debug/synnet combo and use the "system
password" command to change this to something non-default. You wont be
able to change the password using the admin account.

It's even worse than it first appears, BTW.  Not only is this backdoor password
there, but you can change all the other access passwords from the "debug"
account without having to know the old passwords.  So, someone can lock you out
of your switch completely.  In addition, they can get to the "underlying OS
shell", which looks like a very fun place to completely screw things up.

I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x
and 8.x) and the CoreBuilder 3500 (ver 1.0.0.)  I almost cried when I
had a hardware failure and the 3Com tech told me about this backdoor.

--Mike

--------------------
Mike Richichi, Assistant Director,     Drew University Academic Technology
BC-COMPCEN, Madison, NJ 07940        +1 973 408 3840  FAX: +1 973 408 3995
mailto:mrichich () drunivac drew edu         http://daniel.drew.edu/~mrichich
"There are only two businesses who call their customers 'users'" -E. Tufte



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault