[Fwd: 3Com switches - undocumented access level.]
-- To: BUGTRAQ@NETSPACE.ORG Subject: Re: 3Com switches - undocumented access level. From: Toh Chang Ying <cytoh@PLEXUS.NET> Date: Fri, 8 May 1998 18:42:47 +0800 Approved-By: aleph1@NATIONWIDE.NET Organization: HICOM Teleservices Reply-To: "cytoh@plexus.net" <cytoh@plexus.net> Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG> The sender was deleted to prevent flames. Don't flame me either. I'm just a poor 3Com user. -----Original Message----- From: Sent: Friday, May 08, 1998 3:32 PM Subject: Re: FW: 3Com switches - undocumented access level. Toh, Thank you for bringing this up for our attention. First of all, let me assure you that the undocumented access level for the LANplex/Corebuilder products are purely for support reasons then anything else. We have many cases where customers will forget their passwords or userids and find themselves in a spot as they could not get in to the console. This is the only way we can help them to recover from this situation without losing their entire configuration. As far as I know, many vendors also have some kind of special access methods to assist their customer under such circumstances.These special access methods are for 3 Com support persons only and are revealed to customers under very special circumstances. Because the CoreBuilders/LanPlex are typically deployed at the core of a network, the config for these equipment is typically complex and very important to the customers. As such, these method can safe the customer a lot of time and inconvenience by recovering their proper access to the equipment. If we have to set these equipment to factory default every time a customer lose his/her password, we will be in a lot of trouble. As for the stackables, I believe we do not have this access method. That's because these equipment is plug n play and do not have many parameters to reconfigure. In the event, a customer loses his/her password, we can just set everything back to factory default. Regards, ********** http://www.plexus.net/ *********** Toh Chang Ying, MCP, Network Operation Centre HICOM Teleservices Sdn Bhd (323218-A) Suite 3.5, Wisma HICOM, 2 Jln Usahawan U1/8 40150 Shah Alam, Malaysia Email: cytoh@plexus.net
Since you didn't specify the method of access. it is hard to determine if this is a large security hole. Most equipment can be rebooted and brought up without a password IF you have local access. For example, Cisco routers can be brought up without password simply by specifying the starting address of the load file, but you have to be at the local console to do this. UNIX systems can be brought up w/o password in single-user mode, if you have local access. Yes, there are firmware passwords to guard against this on many systems, but one can always swap up the eeprom, etc. I'd only be worried about the 3Com backdoor if it can be used remotely. Got any details? -r.w.
It is remote access - via telnet! Rabid Wombat wrote:
Since you didn't specify the method of access. it is hard to determine if this is a large security hole. Most equipment can be rebooted and brought up without a password IF you have local access. For example, Cisco routers can be brought up without password simply by specifying the starting address of the load file, but you have to be at the local console to do this.
UNIX systems can be brought up w/o password in single-user mode, if you have local access. Yes, there are firmware passwords to guard against this on many systems, but one can always swap up the eeprom, etc.
I'd only be worried about the 3Com backdoor if it can be used remotely. Got any details?
-r.w.
-- =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
On Sun, May 10, 1998 at 08:27:53PM -0400, Sunder wrote:
It is remote access - via telnet!
This is not that uncommon. We implemented such a backdoor in a router I worked on the design of some years ago. The magic password was a function of the model and serial number of the machine (not as I remember a very strong hash either), and different for all boxes. We (or rather the marketing and support people) felt that leaving a customer who forgot his password with no option but reset the router to its factory defaults was more undesirable than providing a potential attack point for sophisticated hackers and spooks - the problem being that there was often days of work in setting up the configuration and getting it right, and if the customer did not have a good backup forcing him to destroy all of his hard won setup just because he couldn't remember which wife's name he used as the password wasn't a good deal. And from a support point of view, helping the turkey to get everything right again was very expensive and painful, whereas leaving a hole for a possible sophisticated attacker was not something that cost support very much even if some bad guy used it to do real damage. I think most if not all uses of our backdoor were handled by having someone in our customer support login to the machine and restablish a password or give the customer the specific master password for his box - I don't think we ever gave anyone the hash. I suspect that a large fraction of alarms, security systems, pbxs and the like incorperate such backdoors for precisely the same kinds of reasons - it is simply too catastrophic to reset everything if someone forgets the password. I know several commercial Unixes had such backdoors in them for emergency access years ago, and wouldn't be overwhelmingly surprised if some current OS's still have magic backdoors. Of course these holes are dangerous, as it is not beyond possible for someone with serious criminal intentions to obtain a copy of your product and slog through the EPROMS/flash memory with a disassembler and determine the magic algorithm which may give him access to all other machines running the same basic code, especially if he has some method of poking around in memory of his target machine or predicting such things as its secret serial numbers. -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Dave Emery wrote:
This is not that uncommon. We implemented such a backdoor in a router I worked on the design of some years ago. The magic password was a function of the model and serial number of the machine (not as I remember a very strong hash either), and different for all boxes. We (or rather the marketing and support people) felt that leaving a customer who forgot his password with no option but reset the router to its factory defaults was more undesirable than providing a potential attack point for sophisticated hackers and spooks
This is still unexcusable. It would have been just as simple to include a hidden reset switch in a pannel somewhere that would zap all the passwords on the router without zapping the config, and maybe send some alarms out via SNMP incase it wasn't something that was wanted. That would be something the client could do themselves without opening security holes.
I suspect that a large fraction of alarms, security systems, pbxs and the like incorperate such backdoors for precisely the same kinds of reasons - it is simply too catastrophic to reset everything if someone forgets the password. I know several commercial Unixes had such backdoors in them for emergency access years ago, and wouldn't be overwhelmingly surprised if some current OS's still have magic backdoors.
That doesn't mean that the ankle biters won't find them. For example, I could put a sniffer on the network coming into the router and call up tech support and say "Hi" I lost my password, here's my IP address, help, help. I can then do the same thing a week later with the same router incase the hash is time dependant, and then later with another router with a different serial number, and I'll have much info to get started on how your hash works. Piece of cake.
Of course these holes are dangerous, as it is not beyond possible for someone with serious criminal intentions to obtain a copy of your product and slog through the EPROMS/flash memory with a disassembler and determine the magic algorithm which may give him access to all other machines running the same basic code, especially if he has some method of poking around in memory of his target machine or predicting such things as its secret serial numbers.
Yep. -- =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
On Mon, May 11, 1998 at 10:50:17AM -0400, Sunder wrote:
Dave Emery wrote:
This is not that uncommon. We implemented such a backdoor in a router I worked on the design of some years ago. The magic password was a function of the model and serial number of the machine (not as I remember a very strong hash either), and different for all boxes. We (or rather the marketing and support people) felt that leaving a customer who forgot his password with no option but reset the router to its factory defaults was more undesirable than providing a potential attack point for sophisticated hackers and spooks
This is still unexcusable. It would have been just as simple to include a hidden reset switch in a pannel somewhere that would zap all the passwords on the router without zapping the config, and maybe send some alarms out via SNMP incase it wasn't something that was wanted.
It took a great deal of earnest debate to get any kind of reset switch implemented at all - they cost some amount of money and room in the box, and there were those who held that having a switch there could invite nervous diddlers to reset the machine causing a crash. So having several was harder to sell. We eventually settled on two, one which would reset to defaults when pressed at the same time as the other which simply rebooted. The need to reset a box whose configuration was terminally screwed up to factory defaults was acutely felt by the support people, who had to pay a lot to swap out or service onsite a box that someone had misconfigured so it wouldn't talk to its serial ports (which was unfortunately possible). I don't think those of us who were not happy with the backdoor would have been much happier with a switch that just magicly reset passwords, since that would have allowed someone with a moments unguarded physical access to the box in a wiring closet somewhere to get in (perhaps hours later from a safe haven via the network) without necessarily causing a disruption that might be noticed and investigated (and not everyone back then had reliable SNMP management and alarms running). The solution we chose forced someone with that kind of transient physical accesss to completely take the machine off line for minutes or hours while restoring the configuration which was much likelier to be observed (and required the intruder know the old configuration in the first place). We felt this made our reset switches less of a hazard from 30 second quicky attacks - attacks much easier to pull off than having enough time connected to the box on a terminal or laptop to restore the old configuration.
I suspect that a large fraction of alarms, security systems, pbxs and the like incorperate such backdoors for precisely the same kinds of reasons - it is simply too catastrophic to reset everything if someone forgets the password. I know several commercial Unixes had such backdoors in them for emergency access years ago, and wouldn't be overwhelmingly surprised if some current OS's still have magic backdoors.
That doesn't mean that the ankle biters won't find them. For example, I could put a sniffer on the network coming into the router and call up tech support and say "Hi" I lost my password, here's my IP address, help, help.
No doubt. Generally there was some minimal effort to ensure that the person calling tech support was legit (callbacks, lists of contact names and so forth) but there is probably little doubt that a clever social engineer could perhaps have gotten a box password that way - although there would certainly have been a trail left that could have been followed. For the paraniod we encouraged use of dial up modems on the console port rather than network access.
I can then do the same thing a week later with the same router incase the hash is time dependant, and then later with another router with a different serial number, and I'll have much info to get started on how your hash works.
Piece of cake.
Calling up for emergency help with lost passwords was fortunately not a very common occurance, and generally was noted and investigated. While our hash wasn't wonderful, I don't think it would have been easy to obtain enough password/router pairs by calling tech support to break it that way. Would have been much easier to obtain a box and disassemble the code. And that would have left no trail. -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
To my knowledge (and the rather credible statements of several 3Com representatives), there are: No undocumented accesses to SS 1000, 1100, 3000,3300. There is one documented access to the CB7000, but that can easily be removed (i.e. -> login in with the magic username and change the password). We did that at our site, as we never ever forgot a password to our equipment (yet). So, what's the hype, the "backdoor" is only for clueless users, not serious companies with a security policy. ----------------------------------------------------- Fatum favet volenti. (anon) ----------------------------------------------------- Remo Pini T: +41 1 350 28 88 Pini Computer Trading N: +41 79 216 15 51 http://www.rpini.com/ Email: rp@rpini.com -----------------------------------------------------
participants (5)
-
Dave Emery -
die@die.com -
Rabid Wombat -
Remo Pini -
Sunder