Actually it's not the NMC card, its the HiPer ARC card. According to USR/3com personnel it is only affected in v4.1.x revisions of the HARC code. As posted, the fix is to disable the account. > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Entropy > Sent: Monday, December 21, 1998 11:24 AM > To: BUGTRAQat_private > Subject: Fwd: Re: 3com > > > The software that 3com has developed for running the NMC (network > management card) for the Total Control Hubs is a bit shady. > After uploading the software ( as one must do) YOU will notice a login > account called "adm" with no password. > Naturally no one wants the "adm" login there, so they delete it from the > configuration, and go on programming the box. Once the box has been > programmed and is ready to take calls, it is necessary to save all > settings, and hardware reset the box, at this point the box is fully > configured, and ready to > take calls. The problem is this, the "adm" login requiring no > password, is > still there after the hardware reset!!! It cannot be deleted! > I have ran a trace route on over 37 ISP's, found there HD box's, and > have been able to get > into 21 of them through this security hole! > The admin that programmed the box has no reason to go back into the > configuration after doing the > hardware reset, he has already gone over and double checked his settings, > they all looked good, and hardware reset has gone into action as the last > step.., he has no clue that the "adm" he has deleted is still there, and > active. > In order to stop the "adm" login one can only dis-able the "adm" > login, not delete it....this is the only way to stop the login. > > I have tested this on the current, and last 3 releases of > software put out > by 3com for the NMC card. 3Com has been notified > > I hope this helps. > > Entr0py >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:44 PDT