Re: 3com

[eforcey () PSNW COM (Eric Forcey)]

Actually it's not the NMC card, its the HiPer ARC card.

According to USR/3com personnel it is only affected in v4.1.x revisions
of the HARC code.

As posted, the fix is to disable the account.




> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf Of Entropy
> Sent: Monday, December 21, 1998 11:24 AM
> To: BUGTRAQ () netspace org
> Subject: Fwd: Re: 3com
>
>
>   The software that 3com has developed for running the NMC (network
> management card) for the Total Control Hubs is a bit shady.
> After uploading the software ( as one must do) YOU will notice a login
>  account called "adm" with no password.
>   Naturally no one wants the "adm" login there, so they delete it from the
> configuration, and go on  programming the box. Once the box has been
>  programmed and is ready to take calls, it is necessary to save all
> settings, and hardware reset the box, at this point the box is fully
> configured, and ready to
>  take calls. The problem is this, the "adm" login requiring no
> password, is
>  still there after the hardware reset!!! It cannot be deleted!
>      I have ran a trace route on over 37 ISP's, found there HD box's, and
> have been able to get
>  into 21 of them through this security hole!
>        The admin that programmed the box has no reason to go back into the
> configuration after doing the
> hardware reset, he has already gone over and double checked his settings,
> they all looked good, and hardware reset has gone into action as the last
> step.., he has no clue that the "adm" he has deleted is still there, and
> active.
>       In order to stop the "adm" login one can only dis-able the "adm"
>  login, not delete it....this is the only way to stop the login.
>
>  I have tested this on the current, and last 3 releases of
> software put out
>  by 3com for the NMC card.  3Com has been notified
>
>  I hope this helps.
>
>  Entr0py