Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: 3Com switches - undocumented access level.)
From: aleph1 () NATIONWIDE NET (Aleph One)
Date: Sun, 10 May 1998 14:41:37 -0500


Summary of multiple posts on the subject:

Riku Meskanen <mesrik () cc jyu fi>

LanPlex2500/Corebuilder
- login:    debug
- password: synnet

LinkSwitch 2700, SuperStack 2700, CellPlex 7000
- login:    tech
- password: tech

SuperStack II 1000 ja SuperStack II 3000
- login:    monitor
- password: monitor


Joel Moses <jmoses () dttus com>

CoreBuilder 7000-series has the problem. It is safe to change that
password on this model. Please note that if you have multiple management
cards, each one will have the password enabled.


Philippe Regnauld <regnauld () deepo prosa dk>

Netbuilder 2xx (v. SW/NBRO-AB,9.1): Nothing so far.


James Robertson <james () hal utmb edu>

I have checked Netbulder Version 8.4 up to 10.1. None of these versions
have a backdoor that I know of. I also scanned the boot images for any
hints, none found so far.

Also, Superstack II Switch 1100, 3000, 3300 do not have the 'tech'
backdoor nor does a scan of the boot image show any hints of the same.

There is another way to gain access to a Netbuilder. All 3Com Netbuilders
support a remote command. The remote command comes with RBCS ( Remote Boot
and Configuration Services ) and Transcend Management Suite.

If you are root on a Netbuilder and know the address of someone elses
Netbuilder you can remote to their Netbuiler from yours and gain root
privelages.

Fix:
Under System Options, Limit remote access connections to a single station
or single subnet.

 SHow -SYS RemoteManager
===============================================
Remote-In allowed from the following addresses:
      your.ip.subnet.here      your.ip.addr.here
===============================================


Adam Spiers <adam () thelonious new ox ac uk>

My LANplex 2500 seems vulnerable:

LANplex 2500 (rev 6.20) - System ID 049bff
Software version 4.3.0-7 - Built 11/10/95 03:49:46 PM

The debug user id is clearly visible in an ASCII dump of the 4.3.0-20
image downloadable from ftp.3com.com.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault