Bugtraq mailing list archives

NetStructure 7110 console backdoor

From: oblivion () ATSTAKE COM (Brian Oblivion)
Date: Tue, 9 May 2000 14:31:41 -0400


                              @Stake Inc.
                          L0pht Research Labs
                    www.atstake.com     www.L0pht.com

                           Security Advisory

    Advisory Name: NetStructure 7110 console backdoor

     Release Date: May 8th, 2000
      Application: Intel NetStructure 7110 (previously the Ipivot
                   Commerce Accelerator 1000)
         Severity: Box can be compromised through configuration serial
                   port. (potentially remote)
           Status: Vendor contacted, advisory publicly released.

    Full Advisory: http://www.l0pht.com/advisories/ipivot7110.html

           Author: oblivion () atstake com
           Thanks: dildog () atstake com
                   mudge () atstake com

Overview:
---------

     The NetStructure 7110 can be compromised via the admin console
even after the admin password has been changed.  An undocumented command
list exists known as 'wizard' mode.  Through this mode there is a
password that overides the admin password and allows full access to the
internal components of the NetStructure 7110.  This password can be
used from within the admin command line interface or to overide the
admin password at an initial login prompt.

     This undocumented shell password is derived from the primary
ethernet MAC address of the NetStructure 7110.  During the boot process
and before every login, the serial number (the primary ethernet MAC
address), is presented to the user on the console port.  Running the MAC
address into our Ipivot password generator will supply the user with a
default shell password.  The mechanism to change this shell password is
undocumented as well.  The shell password gains the console operator root
privleges on the Ipivot with access to gdb, tcpdump, among other
utilities and xmodem to upload other tools.

Description:
------------

     The NetStructure 7110, was originally a product of Ipivot, and
named the Ipivot Commerce Accelerator 1000.  The oversight affects
NetStructure 7110 as shipped in April 2000.

   -The administrator password is overridden by an undocumented shell
    password.

   -The shell password is derived from the primary ethernet MAC address
    of the NetStructure 7110.

   -In most of the command interface for the NetStructure 7110, interrupts
    are ignored.  However, the password prompt section does not block
    interrupts.  When an interrupt is received in this section, the
    initial login banner is re-displayed.  This banner contains the
    ethernet address of the machine.  This banner is also displayed after
    power-cycling or when exiting a valid session.
        
   -The method to change the shell password is undocumented.

   -Additionally, The shell password is recoverable from the 'admin'
    account.  The running configuration file does not contain an
    explicit entry for the shell password.  Thus, initial runs of the
    'show config' do not display any elements referencing the shell
    password.  However, by attempting to change the shell password via
    the 'shpass' command, the entry is created.  This happens even if
    the attempt to change the password failed.  Subsequent calls to
    'show config' will now show the shell password.  The steps to
    recreate this follow:

                1. enter wizard mode by typing 'wizard'

                2. attempt to change the shell password via the 'shpass'
                   command.

                3. show the new config via the 'show config' command

This leaves all Ipivot/NetStructure 7110's with an undocumented backdoor
which can be accessed through the console port, gaining the unauthorized
user root privledges on the box, above those privledges granted to the
admin password holder.  A few data points make this problem particularly
disturbing:

                . The Ipivot is the device converting https (encrypted)
                  to http (unencrypted).

                . Network sniffing utilities are installed on the Ipivot
                  by default.

                . The secret material that the password is derived from
                  (the ethernet address) can be forced to be displayed at
                  the login prompt.

                . The console port is recommended to be hooked up to a
                  modem in order to perform remote management.

Solution:
---------

1.  Change the admin password after the first login.

2.  Next, Type 'wizard'.  You are now in an undocumented command mode.

3.  Type 'shpass' and change the shell password.  Warning: Do not set the
    shell password to the same as the cli password.

4.  Type 'config save'.

NOTE:   The wizard mode has been known in the computer security community
        for many months.

Vendor Response:
----------------

As a result of this advisory Intel has:

        1.  Setup a security-info mail account which one can notify
            Intel of security issues on their product, where one
            previously did not exist.

        2.  Provided patches for all customers at the following URL:
            http://216.188.41.136 or through an 800 number for customers
            with maintenance agreements.

        Although we were surprised that Intel had no central mechanism to
        handle security reports on their product lines, we applaud them
        in creating such a service and encourage other manufacturers to
        follow suit.
        

Intel's email response:


_______________________________________________________________________

7110 Vendor Response

Intel Corporation takes all comments and publications about the
security of our equipment seriously.  The solutions offerred in
the security alert highlight many of the security recommendations
already present in the user documentation.  In addition, Intel has
proactively produced an 'update' which will do the following:

Overview

This update disables login access to the 7110's service shell account.

Applicability

The NetStructure 7110 software updates and documentation are available
at the following location   http://216.188.41.136.  In addition,
information requests can be sent to security-info () ned intel com.


Proof of concept tool:
----------------------

We will make the proof of concept tools available 5-15-2000 to independently
verify and address the problem.

PalmOS prc and unix source available at:
http://www.l0pht.com/advisories/ipivot.tar.gz

PS: Special thanks to cameo for her inital musings over the ipivot 1000
    and the wizard mode.

Current thread:

Bugtraq Stats for the last 3 years available now., (continued)
- - - Bugtraq Stats for the last 3 years available now. Alfred Huger (May 17)
  - KNapster Vulnerability Compromises User-readable Files Tom Daniels (May 10)
  - Gnapster Vulnerability Compromises User-readable Files Jim Early (May 10)
  - Possible symlink problems with Netscape 4.73 foo (May 10)
  - SSH Authentication Vulnerability John P. McNeely (May 10)
    - Re: [cert] SSH Authentication Vulnerability Ignacio Kadel-Garcia (May 11)
  - Black Watch Labs Vulnerability Alert Black Watch Labs (May 10)
    - issues with free Perl CGI's (Re: Black Watch Labs...) Peter W (May 10)
  - Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Frank van Vliet (May 10)
    - Re: Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Todd C. Miller (May 10)
- NetStructure 7110 console backdoor Brian Oblivion (May 09)
- NetStructure 7180 remote backdoor vulnerability Brian Oblivion (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:18.gnapster FreeBSD Security Officer (May 09)
- Self-Replication Using Gnutella Seth McGann (May 09)
- ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator Mitja Kolsek (May 10)