[NSE] accton.nse: OSVDB 67963, Accton products Super User Password Generation Algorithm Weakness

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,

This script aims a one-year unpatched vulnerability hidded in many
Accton-embedded products, as described by Edwin Eefting, Erik Smit and
Erwin Drent @HAR2009.

Many switches manufacturers embed Accton products (3Com, Dell, SMC,
Foundry, EdgeCore and maybe others).
In august 2009 at the HAR2009 Edwin Eefting, Erik Smit and Erwin Drent
revealed that Accton
has left a management backdoor behind (telnet, SSH and HTTP).
Researchers have released a paper explaining their work:
http://www.vettebak.nl/hak/accton.pdf

While __super is the login, the password can be guessed (computed) from
the switches' MAC address.
This is what this script does. Be advised that it does not check if the
target is an Accton embedded
product, neither if the target is actually a vulnerable one: it's
non-intrusive.

It would be nicer if the script could retrieve the target's MAC address
by itself but I didn't find such a function in the NSE libraries.
Please also note that I did not actually test this script against real
vulnerable targets: I don't have any at hand. Hence, this script was
tested against known vulnerable MAC addresses and its results were
compared with the publishers' ones.



Best regards,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkyV8tEACgkQ3aDTTO0ha7hDZACdFGEZpYmCY8tolp2Mv4Hn9oCg
Td4AnixrBY/y3zDAZXz+vd/uePUXzCPf
=oGI4
-----END PGP SIGNATURE-----

Attachment: accton.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/