On Fri, 8 May 1998, Aleph One wrote: > Riku Meskanen <mesrikat_private> reports that the CellPlex 1000 doesn't > seem to have the tech user backdoor. He fails to mention the software > version. > Ehem, Model 1000 and 3000 are SuperStacks. There is no CellPlex 1000. SuperStack 2700, formerly LinkSwitch 2700 (basically same stuff with little difference in chassis), is ethernet switch which can be equiped wit ATM interface. CellPlex (model 7000 or newer 7000HD) is just a plain ATM-switch. I'm sorry about my bad english which may have confused you. About the versions. The LinkSwitch softare version tested (later sold as SuperStack 2700) was on my first post (shown on login screen), but here is it again. LinkSwitch 2700 Rev 1.0 Software version Ver. 3.50 - Built Sep 11 1997 11:21:13 The CellPlex "(8) VER: Version" -option from main menu shows, CELLplex Software Versions: --------------------------- Switch Management version: 3.25 Internal Communication version: 3.2 I/F Control Card 1 version: Ver. 3.20 I/F Control Card 2 version: Ver. 3.20 4-PB FPGA Transmit version: 1.0 4-PB FPGA Receive version: 2.3 8-PB FPGA Transmit version: 3.2 8-PB FPGA Receive version: 3.2 ALC type: ALC_87 R&D version: 3.20N DATE Feb 16 1997: TIME 23:17:24 I can also confirm that debug/synnet worked here for LANPlex2500 which system/display shows following. LANplex 2500 (rev 7.19) - System ID 0bc906 Extended Switching Software Version 7.0.1 - Built 06/12/96 05:48:41 PM But then some new stuff :) Q: Right, but how about SuperStack II Switch 1000, does it has undocumented access level? A: Yes, try username "monitor", with password "monitor". Version Numbers --------------- Hardware Version: 3 Upgradable Software Version: 3.21 Boot Software Version: 3.10 Q: Is the SuperStack II Switch 3000 also affected, as it's basically same the same family line. A: Yes, try same username/password pair monitor/monitor. The tested system has version information. Version Numbers --------------- Hardware Version: 5 Upgradable Software Version: 3.10 Boot Software Version: 2.10 Q: How did you find these strings. A: There are two Motorola S format (srec) files in LS1K3_10.SLX (software for SuperStack II 1000) and LS3K3_10.SLX (software for SuperStack II 3000). Extract the first file, ie. the lines begining with "S", then $ strings --target=srec sfile | less Or if you like to take a better view to the file you may $ objcopy -I srec -O binary sfile bfile to produce raw binary image in bfile. The strings and obcopy are part of the GNU binutils. Here is also some info how I did get the CellPlex 7000 and LinkSwitch 2700 strings if someone else would like to take a look. You need the file ATMMAIN.SL (CellPlex 7000 tftp loadable image). You can find there is a standard PKZIP header beginning offset 0xE34. 00000e30 446d0008 1f8b0000 1f9e0000 504b0304 Dm..........PK.. 00000e40 00000000 0a206e6f 7420696e 20677a69 ..... not in gzi 00000e50 7020666f 726d6174 0a000000 00000000 p format........ Duh, "1f8b" following the standard PKZIP header shows clearly, $ dd if=ATMMAIN.SL bs=`echo "ibase=16; E34;" | bc -q` skip=1 >fish.zip 145+1 records in 145+1 records out $ unzip fish Archive: fish.zip warning [fish.zip]: 46300 extra bytes at beginning or within zipfile (attempting to process anyway) replace ATMSW.STR? [y]es, [n]o, [A]ll, [N]one, [r]ename: A inflating: ATMSW.STR $ You should not have any trouble locating the plain username and password strings from ATMSW.STR Anybody still believe there is a product from 3Com that has no backdoor? <sigh>. :-) riku -- Riku Meskanen <mesrikat_private> also as: rootat_private, hostmasterat_private, Systems and network administrator hostmasterat_private, etc. University of Jyvaskyla Voice: +358 14 60 3580 PO-BOX 35, FI-40351 JYVASKYLA, Finland Fax: +358 14 60 3611
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:00 PDT