Default password in Bay Networks switches.

[jkb () BEST COM (Jan B. Koum)]

        Ok.. so you would think after 3Com $%#& up last year of inserting
        default password into firmware vendors would learn their lesson?
        [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant]

        Hah! Welcome to the world of strings and Bay Networks firmware
        files. I have looked at some bay networks switches and see that
        the following have default password of "NetICs"

BayStack 350T   HW:RevC  FW:V1.01 SW:V1.2.0.10
BayStack 350T   HW:RevC  FW:V1.01 SW:V2.0.0.15

        These however I was not able to find defaults for:

BayStack 350-24T HW:RevA  FW:V1.04 SW:V1.0.0.2
Bay Networks BayStack 303 Ethernet Switch
BayStack 28115/ADV Fast Ethernet Switch

        If you have firmware images for the above, just

% strings *.img | grep -B5 "Invalid Password"

        Something similar to this command might give you the passwd.
        Of course I don't have to tell you about how bad it is when
        someone can control your network infrastructure (switches).

        I don't have much experience with Bay hardware (in fact, I have
        none - someone at work just asked me to help them get into a
        switch for which they forgot the password). If someone can
        shed some light on this topic, it would be great.

        And yes, I consider this to be a backdoor - wouldn't you call it
        a backdoor if Solaris had default password for root logins?
        How can vendors in 1999 even THINK about something as stupid as
        inserting a default password like this into a switch!?!?
        Granted - I am almost sure Bay didn't have evil intentions for
        the use .. but still. I am speechless.

-- Yan


P.S. - Greetz to the inhabitants of #!adm and #!w00w00