3Com switches - undocumented access level.

[monti () MAIL NETURAL COM (Eric Monti)]

I dont know if this is known or documented elsewhere but it took me by
suprise, so here goes.

The recent posts about the rcon user in quake servers have reminded me
that I still havent heard back from 3Com about the following "feature". My
experience has shown that switches are not as much missle chucking fun as
quake, but that isnt to say you cant play games on one. <hyuk>

PROBLEM:
There appears to be a backdoor/undocumented "access level" in current (and
possibly previous) versions of 3Com's "intelligent" and "extended"
switching software for LanPlex/Corebuilder switches. In addition to the
"admin", "read", and "write" accounts, there is a "debug" account with a
password of "synnet" on shipped images (including those available for
download from infodeli.3com.com). The versions of firmware this was tested
under include 7.0.1 and 8.1.1. The debug account appears to have all the
privileges of the admin account plus some "debug" commands not available
to any other ID.

IMPACT:
If you allow "remote administration" (telnet access), well... yeah.

FIX:
Login to the switch with the debug/synnet combo and use the "system
password" command to change this to something non-default. You wont be
able to change the password using the admin account.