Re: [NSE] accton.nse: OSVDB 67963, Accton products Super User Password Generation Algorithm Weakness

[David Fifield <david () bamsoftware com>]

On Sun, Sep 19, 2010 at 01:24:01PM +0200, Gutek wrote:
> This script aims a one-year unpatched vulnerability hidded in many
> Accton-embedded products, as described by Edwin Eefting, Erik Smit and
> Erwin Drent @HAR2009.
>
> Many switches manufacturers embed Accton products (3Com, Dell, SMC,
> Foundry, EdgeCore and maybe others).
> In august 2009 at the HAR2009 Edwin Eefting, Erik Smit and Erwin Drent
> revealed that Accton
> has left a management backdoor behind (telnet, SSH and HTTP).
> Researchers have released a paper explaining their work:
> http://www.vettebak.nl/hak/accton.pdf
>
> While __super is the login, the password can be guessed (computed) from
> the switches' MAC address.
> This is what this script does. Be advised that it does not check if the
> target is an Accton embedded
> product, neither if the target is actually a vulnerable one: it's
> non-intrusive.

I think this script would be much more useful if it could detect the
backdoor. Is there some pattern of open ports, some unique SSH
signature?

> It would be nicer if the script could retrieve the target's MAC address
> by itself but I didn't find such a function in the NSE libraries.
> Please also note that I did not actually test this script against real
> vulnerable targets: I don't have any at hand. Hence, this script was
> tested against known vulnerable MAC addresses and its results were
> compared with the publishers' ones.

To get a MAC address use host.mac_addr. That only works if Nmap knows it
of course.

http://nmap.org/book/nse-api.html#nse-api-arguments

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/