Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: 3Com switches - undocumented access level.
From: mesrik () cc jyu fi (Riku Meskanen)
Date: Thu, 7 May 1998 21:56:26 +0300


On Wed, 6 May 1998, Durval Menezes wrote:
Hello,

PROBLEM:
There appears to be a backdoor/undocumented "access level" in current (and
possibly previous) versions of 3Com's "intelligent" and "extended"
switching software for LanPlex/Corebuilder switches.

Just checked my 3Com Superstack II intelligent hub and Switches (they have
a similar Telnet interface) and they appear NOT to have this backdoor
(humm, or does the backdoor use a different username/password? I wonder...)

No but unfortunately there is another "tech" user that took me
only about 20min to dig out from compressed image. Same pair
works for CellPlex 7000 :(

The username is tech, as is the password.

I'll think that 3Com should be informed to release a security
advisory ASAP.

Telnet, V1.0, 3Com NCD, 1996

LinkSwitch 2700 Rev 1.0
Software version Ver.  3.50  - Built Sep 11 1997 11:21:13

Select access level (read, write, admin): tech
Password: ****

LinkSwitch 2700 Rev 1.0 Administration Console
Accessed at tech access level.

main menu:
==========
   [1] system        - Administer System level functions ->
   [2] ethernet      - Administer Ethernet ports ->
   [3] bridge        - Administer Bridging ->
   [4] atm           - Administer ATM resources ->
   [5] le            - Administer LAN Emulation Clients ->
   [6] vns           - Administer Virtual Networks configuration ->
   [7] management    - Administer IP and SNMP ->
   [8] quit          - Logout of the administration console
   [9] fast          - Fast Setup
  [10] tech          - Special technician options ->

'\' - Main menu   '-' - Prev menu
quiConnection closed by foreign host.

Use tech/system/password to set new password.

Telnet, V1.0, 3Com NCD, 1996


                     -------------------------------
                     -     CELLplex    7000        -
                     -                             -
                     -  ATM     Backbone    Switch -
                     -------------------------------
Access level (read, write, admin):tech
Password: ****


CP7000 switch module - Main Menu:
   (1) SYS: Platform config ->
   (2) LEM: Lan Emulation ->
   (3) CON: Connections ->
   (4) STS: Statistics ->
   (5) DIA: Testing & Diagnostics ->
   (6) FTR: ATM features
   (7) LOG: Logout
   (8) VER: Version
   (9) FST: Fast Setup
  (10) DBG: Debug ->
[ '\' -Main,      '-' -Back in menus]
[ '=0'-To switch, '=n'-To i/f card n (1-4)]

7
Connection closed by foreign host.

Use (1)SYS\(1)SET\(2)PAS> to set new password.

Ok, now how about models 1000 and 3000 ?

:-) riku

--
    [ This .signature intentionally left blank ]



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault