[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: 3Com switches - undocumented access level.]



Dave Emery wrote:

>         This is not that uncommon.   We implemented such a backdoor in a
> router I worked on the design of some years ago.   The magic password
> was a function of the model and serial number of the machine (not as I
> remember a very strong hash either), and different for all boxes.  We
> (or rather the marketing and support people) felt that leaving a
> customer who forgot his password with no option but reset the router to
> its factory defaults was more undesirable than providing a potential
> attack point for  sophisticated hackers and spooks 

This is still unexcusable.  It would have been just as simple to include a
hidden reset switch in a pannel somewhere that would zap all the passwords
on the router without zapping the config, and maybe send some alarms out
via SNMP incase it wasn't something that was wanted.

That would be something the client could do themselves without opening
security holes.


>         I suspect that a large fraction of alarms, security systems,
> pbxs and the like incorperate such backdoors for precisely the same
> kinds of reasons - it is simply too catastrophic to reset everything
> if someone forgets the password.   I know several commercial Unixes
> had such backdoors in them for emergency access years ago, and wouldn't
> be overwhelmingly surprised if some current OS's still have magic backdoors.

That doesn't mean that the ankle biters won't find them.  For example, I could
put a sniffer on the network coming into the router and call up tech support
and say "Hi" I lost my password, here's my IP address, help, help.

I can then do the same thing a week later with the same router incase the
hash is time dependant, and then later with another router with a different
serial number, and I'll have much info to get started on how your hash works.

Piece of cake.
 
>         Of course these holes are dangerous, as it is not beyond possible
> for someone with serious criminal intentions to obtain a copy of your product
> and slog through the EPROMS/flash memory with a disassembler and determine
> the magic algorithm which may give him access to all other machines running
> the same basic code, especially if he has some method of poking around
> in memory of his target machine or predicting such things as its secret
> serial numbers.

Yep.
 

-- 

=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.|  Ray Arachelian    |Prying open my 3rd eye.  So good to see |./|\.
..\|/..|[email protected]|you once again. I thought you were      |/\|/\
<--*-->| ------------------ |hiding, and you thought that I had run  |\/|\/
../|\..| "A toast to Odin,  |away chasing the tail of dogma. I opened|.\|/.
.+.v.+.|God of screwdrivers"|my eye and there we were....            |.....
======================= http://www.sundernet.com ==========================