Re: Fwd: Re: 3com

[ericw () FUTUREONE COM (Eric Wanner)]

NMC card?  The only card you can telnet to is the NAC (Network Access
Card, I believe).  The bug appears to be present on this card.

--

Eric Wanner
Head Systems Administrator
FutureOne, Inc.
602-385-3379
http://home.futureone.com
EfNet: holobyte

On Mon, 21 Dec 1998, Entropy wrote:

>   The software that 3com has developed for running the NMC (network
> management card) for the Total Control Hubs is a bit shady.
> After uploading the software ( as one must do) YOU will notice a login
>  account called "adm" with no password.
>   Naturally no one wants the "adm" login there, so they delete it from the
> configuration, and go on  programming the box. Once the box has been
>  programmed and is ready to take calls, it is necessary to save all
> settings, and hardware reset the box, at this point the box is fully
> configured, and ready to
>  take calls. The problem is this, the "adm" login requiring no password, is
>  still there after the hardware reset!!! It cannot be deleted!
>      I have ran a trace route on over 37 ISP's, found there HD box's, and
> have been able to get
>  into 21 of them through this security hole!
>        The admin that programmed the box has no reason to go back into the
> configuration after doing the
> hardware reset, he has already gone over and double checked his settings,
> they all looked good, and hardware reset has gone into action as the last
> step.., he has no clue that the "adm" he has deleted is still there, and
> active.
>       In order to stop the "adm" login one can only dis-able the "adm"
>  login, not delete it....this is the only way to stop the login.
>
>  I have tested this on the current, and last 3 releases of software put out
>  by 3com for the NMC card.  3Com has been notified
>
>  I hope this helps.
>
>  Entr0py