-- Eric Monti wrote: > > PROBLEM: > There appears to be a backdoor/undocumented "access level" in current (and > possibly previous) versions of 3Com's "intelligent" and "extended" > switching software for LanPlex/Corebuilder switches. In addition to the > "admin", "read", and "write" accounts, there is a "debug" account with a > password of "synnet" on shipped images (including those available for > download from infodeli.3com.com). The versions of firmware this was tested > under include 7.0.1 and 8.1.1. The debug account appears to have all the > privileges of the admin account plus some "debug" commands not available > to any other ID. > > IMPACT: > If you allow "remote administration" (telnet access), well... yeah. > > FIX: > Login to the switch with the debug/synnet combo and use the "system > password" command to change this to something non-default. You wont be > able to change the password using the admin account. It's even worse than it first appears, BTW. Not only is this backdoor password there, but you can change all the other access passwords from the "debug" account without having to know the old passwords. So, someone can lock you out of your switch completely. In addition, they can get to the "underlying OS shell", which looks like a very fun place to completely screw things up. I can verify this works with the Lanplex/Corebuilder 2500s (all SW versions 7.x and 8.x) and the CoreBuilder 3500 (ver 1.0.0.) I almost cried when I had a hardware failure and the 3Com tech told me about this backdoor. --Mike -------------------- Mike Richichi, Assistant Director, Drew University Academic Technology BC-COMPCEN, Madison, NJ 07940 +1 973 408 3840 FAX: +1 973 408 3995 mailto:mrichichat_private http://daniel.drew.edu/~mrichich "There are only two businesses who call their customers 'users'" -E. Tufte
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:16 PDT