Home page logo

bugtraq logo Bugtraq mailing list archives

Re: 3Com switches - undocumented access level.)
From: mesrik () cc jyu fi (Riku Meskanen)
Date: Sat, 9 May 1998 12:57:35 +0300

On Fri, 8 May 1998, Aleph One wrote:
Riku Meskanen <mesrik () cc jyu fi> reports that the CellPlex 1000 doesn't
seem to have the tech user backdoor. He fails to mention the software

Ehem, Model 1000 and 3000 are SuperStacks. There is no CellPlex 1000.

SuperStack 2700, formerly LinkSwitch 2700 (basically same stuff
with little difference in chassis), is ethernet switch which can
be equiped wit ATM interface.

CellPlex (model 7000 or newer 7000HD) is just a plain ATM-switch.

I'm sorry about my bad english which may have confused you.

About the versions. The LinkSwitch softare version tested (later sold as
SuperStack 2700)  was on my first post (shown on login screen), but here
is it again.

  LinkSwitch 2700 Rev 1.0
  Software version Ver.  3.50  - Built Sep 11 1997 11:21:13

The CellPlex "(8) VER: Version" -option from main menu shows,

  CELLplex Software Versions:

  Switch Management version:      3.25
  Internal Communication version: 3.2
  I/F Control Card 1 version:     Ver.  3.20
  I/F Control Card 2 version:     Ver.  3.20
  4-PB FPGA Transmit version:     1.0
  4-PB FPGA Receive  version:     2.3
  8-PB FPGA Transmit version:     3.2
  8-PB FPGA Receive  version:     3.2
  ALC type:                       ALC_87
  R&D version:                    3.20N

  DATE Feb 16 1997:  TIME 23:17:24

I can also confirm that debug/synnet worked here for LANPlex2500
which system/display shows following.

  LANplex 2500 (rev 7.19) - System ID 0bc906
  Extended Switching Software
  Version 7.0.1 - Built 06/12/96 05:48:41 PM

But then some new stuff :)

  Q: Right, but how about SuperStack II Switch 1000, does it has
     undocumented access level?

  A: Yes, try username "monitor", with password "monitor".

        Version Numbers
        Hardware Version:                       3
        Upgradable Software Version:            3.21
        Boot Software Version:                  3.10

  Q: Is the SuperStack II Switch 3000 also affected, as it's basically
     same the same family line.

  A: Yes, try same username/password pair monitor/monitor.
     The tested system has version information.

        Version Numbers
        Hardware Version:                       5
        Upgradable Software Version:            3.10
        Boot Software Version:                  2.10

  Q: How did you find these strings.

  A: There are two Motorola S format (srec) files in
     LS1K3_10.SLX (software for SuperStack II 1000) and
     LS3K3_10.SLX (software for SuperStack II 3000).

     Extract the first file, ie. the lines begining
     with "S", then

     $ strings --target=srec sfile | less

     Or if you like to take a better view to the file
     you may

     $ objcopy -I srec -O binary sfile bfile

     to produce raw binary image in bfile.

The strings and obcopy are part of the GNU binutils.

Here is also some info how I did get the CellPlex 7000 and
LinkSwitch 2700 strings if someone else would like to take
a look.

You need the file ATMMAIN.SL (CellPlex 7000 tftp loadable image).
You can find there is a standard PKZIP header beginning offset 0xE34.

  00000e30    446d0008 1f8b0000 1f9e0000 504b0304    Dm..........PK..
  00000e40    00000000 0a206e6f 7420696e 20677a69    ..... not in gzi
  00000e50    7020666f 726d6174 0a000000 00000000    p format........

  Duh, "1f8b" following the standard PKZIP header shows clearly,

  $ dd if=ATMMAIN.SL bs=`echo "ibase=16; E34;" | bc -q` skip=1 >fish.zip
  145+1 records in
  145+1 records out
  $ unzip fish
  Archive:  fish.zip
  warning [fish.zip]:  46300 extra bytes at beginning or within zipfile
    (attempting to process anyway)
  replace ATMSW.STR? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
    inflating: ATMSW.STR

You should not have any trouble locating the plain username
and password strings from ATMSW.STR

Anybody still believe there is a product from 3Com that has no
backdoor? <sigh>.

:-) riku

Riku Meskanen <mesrik () cc jyu fi>     also as: root () jyu fi, hostmaster () jyu fi,
Systems and network administrator             hostmaster () co jyu fi, etc.
University of Jyvaskyla                Voice: +358 14 60 3580
PO-BOX 35, FI-40351 JYVASKYLA, Finland   Fax: +358 14 60 3611

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]