Date: Sun, 10 May 1998 14:41:37 -0500 From: Aleph One <aleph1@NATIONWIDE.NET> Subject: Re: 3Com switches - undocumented access level.) To: BUGTRAQ@NETSPACE.ORG Summary of multiple posts on the subject: Riku Meskanen <firstname.lastname@example.org> LanPlex2500/Corebuilder - login: debug - password: synnet LinkSwitch 2700, SuperStack 2700, CellPlex 7000 - login: tech - password: tech SuperStack II 1000 ja SuperStack II 3000 - login: monitor - password: monitor Joel Moses <email@example.com> CoreBuilder 7000-series has the problem. It is safe to change that password on this model. Please note that if you have multiple management cards, each one will have the password enabled. Philippe Regnauld <firstname.lastname@example.org> Netbuilder 2xx (v. SW/NBRO-AB,9.1): Nothing so far. James Robertson <email@example.com> I have checked Netbulder Version 8.4 up to 10.1. None of these versions have a backdoor that I know of. I also scanned the boot images for any hints, none found so far. Also, Superstack II Switch 1100, 3000, 3300 do not have the 'tech' backdoor nor does a scan of the boot image show any hints of the same. There is another way to gain access to a Netbuilder. All 3Com Netbuilders support a remote command. The remote command comes with RBCS ( Remote Boot and Configuration Services ) and Transcend Management Suite. If you are root on a Netbuilder and know the address of someone elses Netbuilder you can remote to their Netbuiler from yours and gain root privelages. Fix: Under System Options, Limit remote access connections to a single station or single subnet. SHow -SYS RemoteManager =============================================== Remote-In allowed from the following addresses: your.ip.subnet.here your.ip.addr.here =============================================== Adam Spiers <firstname.lastname@example.org> My LANplex 2500 seems vulnerable: LANplex 2500 (rev 6.20) - System ID 049bff Software version 4.3.0-7 - Built 11/10/95 03:49:46 PM The debug user id is clearly visible in an ASCII dump of the 4.3.0-20 image downloadable from ftp.3com.com.