baystack.switch.passwd.txt

1999-08-17T00:00:00
ID PACKETSTORM:12099
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 10 Mar 1999 14:48:58 -0800  
From: Jan B. Koum <jkb@BEST.COM>  
To: BUGTRAQ@netspace.org  
Subject: Default password in Bay Networks switches.  
  
Ok.. so you would think after 3Com $%#& up last year of inserting  
default password into firmware vendors would learn their lesson?  
[See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant]  
  
Hah! Welcome to the world of strings and Bay Networks firmware  
files. I have looked at some bay networks switches and see that  
the following have default password of "NetICs"  
  
BayStack 350T HW:RevC FW:V1.01 SW:V1.2.0.10  
BayStack 350T HW:RevC FW:V1.01 SW:V2.0.0.15  
  
These however I was not able to find defaults for:  
  
BayStack 350-24T HW:RevA FW:V1.04 SW:V1.0.0.2  
Bay Networks BayStack 303 Ethernet Switch  
BayStack 28115/ADV Fast Ethernet Switch  
  
If you have firmware images for the above, just  
  
% strings *.img | grep -B5 "Invalid Password"  
  
Something similar to this command might give you the passwd.  
Of course I don't have to tell you about how bad it is when  
someone can control your network infrastructure (switches).  
  
I don't have much experience with Bay hardware (in fact, I have  
none - someone at work just asked me to help them get into a  
switch for which they forgot the password). If someone can  
shed some light on this topic, it would be great.  
  
And yes, I consider this to be a backdoor - wouldn't you call it  
a backdoor if Solaris had default password for root logins?  
How can vendors in 1999 even THINK about something as stupid as  
inserting a default password like this into a switch!?!?  
Granted - I am almost sure Bay didn't have evil intentions for  
the use .. but still. I am speechless.  
  
-- Yan  
  
  
P.S. - Greetz to the inhabitants of #!adm and #!w00w00  
  
------------------------------------------------------------------------------  
  
Date: Wed, 10 Mar 1999 17:06:05 -0700  
From: Dax Kelson <dkelson@INCONNECT.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Default password in Bay Networks switches.  
  
On Wed, 10 Mar 1999, Jan B. Koum wrote:  
  
> Ok.. so you would think after 3Com $%#& up last year of inserting  
> default password into firmware vendors would learn their lesson?  
> [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant]  
>  
> Hah! Welcome to the world of strings and Bay Networks firmware  
> files. I have looked at some bay networks switches and see that  
> the following have default password of "NetICs"  
  
The Bay Networks case number for this bug/oversight is: 990310-614  
  
Normally "backdoor" passwords on Bay gear only work through the console.  
  
Dax Kelson  
Internet Connect, Inc.  
  
------------------------------------------------------------------------------  
  
Date: Wed, 10 Mar 1999 17:16:53 -0800  
From: Jon Green <jogreen@NORTELNETWORKS.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Default password in Bay Networks switches.  
  
> And yes, I consider this to be a backdoor - wouldn't you call it  
> a backdoor if Solaris had default password for root logins?  
> How can vendors in 1999 even THINK about something as stupid as  
> inserting a default password like this into a switch!?!?  
> Granted - I am almost sure Bay didn't have evil intentions for  
> the use .. but still. I am speechless.  
  
This was fixed in version 2.0.3.4 of the BS350 code last November.  
The backdoor is still there for console access, but not for telnet.  
This problem only affected the Baystack 350T and 350F, it did not  
affect the 350-24T or 450. Also, note that the 350 has always had the  
ability to limit telnet logins to certain source addresses; it is  
recommended that that feature be used.  
  
Software upgrades for the 350 can be found at  
http://support.baynetworks.com under Software. If you don't  
have a support contract, call (800) 2LANWAN.  
  
-Jon  
  
------------------------------------------------------------------------------  
  
-------------------------------------------------------------------  
Jon Green 4301 Great America Pkwy  
Senior Competitive Test Engineer Santa Clara, CA 95054  
Nortel Networks (408) 495-2618 Voice  
jogreen@nortelnetworks.com (408) 495-4540 Fax  
-------------------------------------------------------------------  
  
  
Date: Thu, 11 Mar 1999 15:29:26 -0800  
From: Igor Sviridov <sia@nest.org>  
To: BUGTRAQ@netspace.org  
Subject: Re: Default password in Bay Networks switches.  
  
On Wed, Mar 10, 1999 at 02:48:58PM -0800, Jan B. Koum wrote:  
  
> Ok.. so you would think after 3Com $%#& up last year of inserting  
> default password into firmware vendors would learn their lesson?  
> [See http://geek-girl.com/bugtraq/1998_2/0340.html for 3com rant]  
>  
> Hah! Welcome to the world of strings and Bay Networks firmware  
> files. I have looked at some bay networks switches and see that  
> the following have default password of "NetICs"  
>  
> BayStack 350T HW:RevC FW:V1.01 SW:V1.2.0.10  
> BayStack 350T HW:RevC FW:V1.01 SW:V2.0.0.15  
  
Also works on:  
  
BayStack 350T-HD HW:RevA FW:V1.03 SW:V2.0.2.1 (24 port)  
BayStack 350T HW:RevC FW:V1.00 SW:V2.0.2.1 (16 port)  
  
Does not work on:  
  
BayStack 450-24T HW:RevB FW:V1.04 SW:V1.0.1.0  
  
> -- Yan  
  
--igor  
  
------------------------------------------------------------------------------  
  
Date: Wed, 10 Mar 1999 23:20:25 -0700  
From: Dax Kelson <dkelson@INCONNECT.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Default password in Bay Networks switches.  
  
On Wed, 10 Mar 1999, Dax Kelson wrote:  
  
> The Bay Networks case number for this bug/oversight is: 990310-614  
>  
> Normally "backdoor" passwords on Bay gear only work through the console.  
  
Sorry, should have included this in the first email.  
  
Regardless of the existence of backdoors (not to say they aren't evil) it  
is a good idea to limit who can connect to your equipment over the  
network. These BayStack switches have a "TELNET Configuration..." menu  
where you can turn off telnet access and/or limit the IP addresses who are  
allowed to telnet in. While you're there you should secure your SNMP,  
which is another item commonly left wide open (any networking equipment,  
not just Bay).  
  
Many networking devices don't have the ability to restrict who can connect  
to them. Even if the device does have the ability, it is often useful to  
take care of securing all networking devices at once. One way to do this  
is to allocate a separate IP network for your network devices. This would  
mean two IP networks on your physical network, your "main" IP network, and  
the small "management" IP network. At the gateway (eg a secondary IP on a  
cisco's ethernet interface) into your management network you configure  
ACLs to securely control connections to your devices. Of course if the  
gateway goes down you suddenly can't remotely admin any of the protected  
devices, a good reason to have an out-of-band management system in place.  
  
Comments?  
  
Dax Kelson  
Internet Connect, Inc.  
  
------------------------------------------------------------------------------  
  
Date: Fri, 12 Mar 1999 12:37:56 +0100  
From: Rolf Obrecht <obrecht@IEM.RWTH-AACHEN.DE>  
To: BUGTRAQ@netspace.org  
Subject: Re: Default password in Bay Networks switches.  
  
Also works on  
  
BayStack 350T HW:RevC FW:V1.01 SW:V1.03 (16port)  
  
Rolf  
  
---  
Rolf Obrecht RWTH Aachen  
Tel. +49 241 807646 Institut fuer Elektrische Maschinen  
Fax +49 241 8888270 Schinkelstrasse 4, D-52056 Aachen  
  
"Der Tag ist 24 Stunden lang, aber unterschiedlich breit."  
  
`