mailing list archives
Re: 3Com switches - undocumented access level.)
From: mesrik () cc jyu fi (Riku Meskanen)
Date: Sat, 9 May 1998 12:57:35 +0300
On Fri, 8 May 1998, Aleph One wrote:
Riku Meskanen <mesrik () cc jyu fi> reports that the CellPlex 1000 doesn't
seem to have the tech user backdoor. He fails to mention the software
Ehem, Model 1000 and 3000 are SuperStacks. There is no CellPlex 1000.
SuperStack 2700, formerly LinkSwitch 2700 (basically same stuff
with little difference in chassis), is ethernet switch which can
be equiped wit ATM interface.
CellPlex (model 7000 or newer 7000HD) is just a plain ATM-switch.
I'm sorry about my bad english which may have confused you.
About the versions. The LinkSwitch softare version tested (later sold as
SuperStack 2700) was on my first post (shown on login screen), but here
is it again.
LinkSwitch 2700 Rev 1.0
Software version Ver. 3.50 - Built Sep 11 1997 11:21:13
The CellPlex "(8) VER: Version" -option from main menu shows,
CELLplex Software Versions:
Switch Management version: 3.25
Internal Communication version: 3.2
I/F Control Card 1 version: Ver. 3.20
I/F Control Card 2 version: Ver. 3.20
4-PB FPGA Transmit version: 1.0
4-PB FPGA Receive version: 2.3
8-PB FPGA Transmit version: 3.2
8-PB FPGA Receive version: 3.2
ALC type: ALC_87
R&D version: 3.20N
DATE Feb 16 1997: TIME 23:17:24
I can also confirm that debug/synnet worked here for LANPlex2500
which system/display shows following.
LANplex 2500 (rev 7.19) - System ID 0bc906
Extended Switching Software
Version 7.0.1 - Built 06/12/96 05:48:41 PM
But then some new stuff :)
Q: Right, but how about SuperStack II Switch 1000, does it has
undocumented access level?
A: Yes, try username "monitor", with password "monitor".
Hardware Version: 3
Upgradable Software Version: 3.21
Boot Software Version: 3.10
Q: Is the SuperStack II Switch 3000 also affected, as it's basically
same the same family line.
A: Yes, try same username/password pair monitor/monitor.
The tested system has version information.
Hardware Version: 5
Upgradable Software Version: 3.10
Boot Software Version: 2.10
Q: How did you find these strings.
A: There are two Motorola S format (srec) files in
LS1K3_10.SLX (software for SuperStack II 1000) and
LS3K3_10.SLX (software for SuperStack II 3000).
Extract the first file, ie. the lines begining
with "S", then
$ strings --target=srec sfile | less
Or if you like to take a better view to the file
$ objcopy -I srec -O binary sfile bfile
to produce raw binary image in bfile.
The strings and obcopy are part of the GNU binutils.
Here is also some info how I did get the CellPlex 7000 and
LinkSwitch 2700 strings if someone else would like to take
You need the file ATMMAIN.SL (CellPlex 7000 tftp loadable image).
You can find there is a standard PKZIP header beginning offset 0xE34.
00000e30 446d0008 1f8b0000 1f9e0000 504b0304 Dm..........PK..
00000e40 00000000 0a206e6f 7420696e 20677a69 ..... not in gzi
00000e50 7020666f 726d6174 0a000000 00000000 p format........
Duh, "1f8b" following the standard PKZIP header shows clearly,
$ dd if=ATMMAIN.SL bs=`echo "ibase=16; E34;" | bc -q` skip=1 >fish.zip
145+1 records in
145+1 records out
$ unzip fish
warning [fish.zip]: 46300 extra bytes at beginning or within zipfile
(attempting to process anyway)
replace ATMSW.STR? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
You should not have any trouble locating the plain username
and password strings from ATMSW.STR
Anybody still believe there is a product from 3Com that has no
Riku Meskanen <mesrik () cc jyu fi> also as: root () jyu fi, hostmaster () jyu fi,
Systems and network administrator hostmaster () co jyu fi, etc.
University of Jyvaskyla Voice: +358 14 60 3580
PO-BOX 35, FI-40351 JYVASKYLA, Finland Fax: +358 14 60 3611
BSDI 3.1/Squid Default Owner Jonathan A. Zdziarski (May 07)
Re: 3Com switches - undocumented access level. Toh Chang Ying (May 08)
Re: 3Com switches - undocumented access level. Aleph One (May 08)
Re: 3Com switches - undocumented access level. der Mouse (May 08)
Bay Networks Security Hole Marty Rigaletto (May 10)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)