|-----Original Message----- |From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Entropy |Sent: Monday, December 21, 1998 1:24 PM |To: BUGTRAQat_private |Subject: Fwd: Re: 3com | | | The software that 3com has developed for running the NMC (network |management card) for the Total Control Hubs is a bit shady. This has nothing to do with the NMC card. The "adm" user is on the HiperARC card. |After uploading the software ( as one must do) YOU will notice a login | account called "adm" with no password. | Naturally no one wants the "adm" login there, so they delete it from the |configuration, and go on programming the box. Once the box has been | programmed and is ready to take calls, it is necessary to save all |settings, and hardware reset the box, at this point the box is fully |configured, and ready to | take calls. The problem is this, the "adm" login requiring no password, is | still there after the hardware reset!!! It cannot be deleted! | I have ran a trace route on over 37 ISP's, found there HD box's, and |have been able to get | into 21 of them through this security hole! The 'adm' user is no different than the manage user on the older Netserver product. Both are clearly described in the release notes that they come with no password set. This information is posted on the Totalservice along with the 4.1.11 code. (ftp://totalservice.usr.com/pub/.docs/config.txt) The difference on the newer HARC cards is that you can add more manage users and disable the adm if so desired. The fact that people don't read documentation when they install new software is the cause of this problem. The latest release of code 4.1.72-7 (located on the Totalservice web site) has the ability to delete the "adm" user and it will not come back after a reboot. This posting does serve a purpose since it seem that many have overlooked this and left themselves open. Misconfiguration is often the cause of security breach, but I wouldn't call this a hole. Hopefully those that overlooked this will at least read the release notes next time. Since the manual is out of the question. :). | The admin that programmed the box has no reason to go back into the |configuration after doing the |hardware reset, he has already gone over and double checked his settings, |they all looked good, and hardware reset has gone into action as the last |step.., he has no clue that the "adm" he has deleted is still there, and |active. | In order to stop the "adm" login one can only dis-able the "adm" | login, not delete it....this is the only way to stop the login. | I have tested this on the current, and last 3 releases of software put out | by 3com for the NMC card. 3Com has been notified. Once again. No such password exists on the NMC. It is a item on the HARC. --------------------------------------------------------- Mike Wronski (mikeat_private) Rogue 3Com Network Systems Engineer / BETA Engineer PGP:http://coredump.ae.usr.com/pgp "If at first you do succeed, try not to look astonished."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:41 PDT