[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: 3Com switches - undocumented access level.]



On Sun, May 10, 1998 at 08:27:53PM -0400, Sunder wrote:
> It is remote access - via telnet!
> 
	This is not that uncommon.   We implemented such a backdoor in a
router I worked on the design of some years ago.   The magic password
was a function of the model and serial number of the machine (not as I
remember a very strong hash either), and different for all boxes.  We
(or rather the marketing and support people) felt that leaving a
customer who forgot his password with no option but reset the router to
its factory defaults was more undesirable than providing a potential
attack point for  sophisticated hackers and spooks - the problem being
that there was  often days of work in setting up the configuration and
getting it right, and if the customer did not have a good backup forcing
him to destroy all of his hard won setup just because he couldn't
remember which wife's name he used as the password wasn't a good deal. 
And from a support point of view, helping the turkey to get everything
right again was very expensive and painful, whereas leaving a hole for 
a possible sophisticated attacker was not something that cost support
very much even if some bad guy used it to do real damage.

	I think most if not all uses of our backdoor were handled by
having someone in our customer support login to the machine and
restablish a password or give the customer the specific master password
for his box - I don't think we ever gave anyone the hash.

	I suspect that a large fraction of alarms, security systems,
pbxs and the like incorperate such backdoors for precisely the same 
kinds of reasons - it is simply too catastrophic to reset everything
if someone forgets the password.   I know several commercial Unixes
had such backdoors in them for emergency access years ago, and wouldn't
be overwhelmingly surprised if some current OS's still have magic backdoors.

	Of course these holes are dangerous, as it is not beyond possible
for someone with serious criminal intentions to obtain a copy of your product
and slog through the EPROMS/flash memory with a disassembler and determine
the magic algorithm which may give him access to all other machines running
the same basic code, especially if he has some method of poking around
in memory of his target machine or predicting such things as its secret
serial numbers. 

-- 
	Dave Emery N1PRE,  [email protected]  DIE Consulting, Weston, Mass. 
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2  5D 27 BD B0 24 88 C3 18