Bugtraq mailing list archives
Re: 3Com switches - undocumented access level.)
From: mesrik () cc jyu fi (Riku Meskanen)
Date: Sat, 9 May 1998 12:57:35 +0300
On Fri, 8 May 1998, Aleph One wrote:
Riku Meskanen <mesrik () cc jyu fi> reports that the CellPlex 1000 doesn't seem to have the tech user backdoor. He fails to mention the software version.
Ehem, Model 1000 and 3000 are SuperStacks. There is no CellPlex 1000. SuperStack 2700, formerly LinkSwitch 2700 (basically same stuff with little difference in chassis), is ethernet switch which can be equiped wit ATM interface. CellPlex (model 7000 or newer 7000HD) is just a plain ATM-switch. I'm sorry about my bad english which may have confused you. About the versions. The LinkSwitch softare version tested (later sold as SuperStack 2700) was on my first post (shown on login screen), but here is it again. LinkSwitch 2700 Rev 1.0 Software version Ver. 3.50 - Built Sep 11 1997 11:21:13 The CellPlex "(8) VER: Version" -option from main menu shows, CELLplex Software Versions: --------------------------- Switch Management version: 3.25 Internal Communication version: 3.2 I/F Control Card 1 version: Ver. 3.20 I/F Control Card 2 version: Ver. 3.20 4-PB FPGA Transmit version: 1.0 4-PB FPGA Receive version: 2.3 8-PB FPGA Transmit version: 3.2 8-PB FPGA Receive version: 3.2 ALC type: ALC_87 R&D version: 3.20N DATE Feb 16 1997: TIME 23:17:24 I can also confirm that debug/synnet worked here for LANPlex2500 which system/display shows following. LANplex 2500 (rev 7.19) - System ID 0bc906 Extended Switching Software Version 7.0.1 - Built 06/12/96 05:48:41 PM But then some new stuff :) Q: Right, but how about SuperStack II Switch 1000, does it has undocumented access level? A: Yes, try username "monitor", with password "monitor". Version Numbers --------------- Hardware Version: 3 Upgradable Software Version: 3.21 Boot Software Version: 3.10 Q: Is the SuperStack II Switch 3000 also affected, as it's basically same the same family line. A: Yes, try same username/password pair monitor/monitor. The tested system has version information. Version Numbers --------------- Hardware Version: 5 Upgradable Software Version: 3.10 Boot Software Version: 2.10 Q: How did you find these strings. A: There are two Motorola S format (srec) files in LS1K3_10.SLX (software for SuperStack II 1000) and LS3K3_10.SLX (software for SuperStack II 3000). Extract the first file, ie. the lines begining with "S", then $ strings --target=srec sfile | less Or if you like to take a better view to the file you may $ objcopy -I srec -O binary sfile bfile to produce raw binary image in bfile. The strings and obcopy are part of the GNU binutils. Here is also some info how I did get the CellPlex 7000 and LinkSwitch 2700 strings if someone else would like to take a look. You need the file ATMMAIN.SL (CellPlex 7000 tftp loadable image). You can find there is a standard PKZIP header beginning offset 0xE34. 00000e30 446d0008 1f8b0000 1f9e0000 504b0304 Dm..........PK.. 00000e40 00000000 0a206e6f 7420696e 20677a69 ..... not in gzi 00000e50 7020666f 726d6174 0a000000 00000000 p format........ Duh, "1f8b" following the standard PKZIP header shows clearly, $ dd if=ATMMAIN.SL bs=`echo "ibase=16; E34;" | bc -q` skip=1 >fish.zip 145+1 records in 145+1 records out $ unzip fish Archive: fish.zip warning [fish.zip]: 46300 extra bytes at beginning or within zipfile (attempting to process anyway) replace ATMSW.STR? [y]es, [n]o, [A]ll, [N]one, [r]ename: A inflating: ATMSW.STR $ You should not have any trouble locating the plain username and password strings from ATMSW.STR Anybody still believe there is a product from 3Com that has no backdoor? <sigh>. :-) riku -- Riku Meskanen <mesrik () cc jyu fi> also as: root () jyu fi, hostmaster () jyu fi, Systems and network administrator hostmaster () co jyu fi, etc. University of Jyvaskyla Voice: +358 14 60 3580 PO-BOX 35, FI-40351 JYVASKYLA, Finland Fax: +358 14 60 3611
Current thread:
- dip 3.3.7 exploit, (continued)
- dip 3.3.7 exploit jamez (May 07)
- dip-3.3.7o exploit zef (May 07)
- Re: 3Com switches - undocumented access level. Eric Monti (May 07)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- NSCA HTTPD (for Windows) bug. Renos (May 08)
- 4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd Helmut Springer (May 08)
- xterm exploit [TOG issue] Andrea Arcangeli (May 08)
- BSDI 3.1/Squid Default Owner Jonathan A. Zdziarski (May 07)
- Re: 3Com switches - undocumented access level. Toh Chang Ying (May 08)
- Re: 3Com switches - undocumented access level. Aleph One (May 08)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level.) Joao Carlos Mendes Luis (May 10)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level. der Mouse (May 08)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- Re: 3Com switches - undocumented access level. Michael Mittelstadt (May 10)
- Re: 3Com switches - undocumented access level. NetSurfer (May 11)
- Bay Networks Security Hole Marty Rigaletto (May 09)
- coke.c snupe (May 09)
- MICO: security problem: Privileges of micod for everybody! Dominique Unruh (May 10)