Everhart,Glenn
From:	Michael Mittelstadt [meek@EXECPC.COM]
Sent:	Sunday, May 10, 1998 7:32 PM
To:	BUGTRAQ@NETSPACE.ORG
Subject:	Re: 3Com switches - undocumented access level.
[Quoth Sasha Egan]
] Sorry about this, I forgot to mention it..
]
] To get the interview with the network tech at 3Com, I had to list myself
] as a primary contact...if you need any information from me:
] my phone number is (505) 861-4981
] My pager is (505) 875-8866
] just in case...

It might also be worth mentioning to 3Com that the enterprise MIB (at
least for the Corebuilder 3500) contains the passwords and the snmp
keys for the box.  If some poor sap sets their SNMP key to something
guessable (like, oh, I dunno, 'public'), you can get the admin
password and SNMP key with these:

enterprises.synernetics.lanplex.lanplexSystemsMib.1.19.0 = "password"
enterprises.synernetics.lanplex.lanplexSystemsMib.6.7.0 = "public"

I don't know what the wisdom of putting the password in the MIB is.

This is true with both software release 1.0 and 1.1 on the Corebuilder
3500.  And since it's the synernetics enterprise MIB, it's my educated
guess that this info is on other corebuilder and lanplex boxen.

With release 1.0 on the corebuilder, I also had the misfortune of
being able to reboot the box by sending a lot of UDP traffic to it's
administrative port.  Being paranoid, I ran netcat against it, wanting
to know what ports it listened on.  About 10 seconds later, it
reboots.  rel 1.1 seems more robust.

IMHO, the Corebuilder 3500 just feels like a product that went out the
door too fast to be early to market, without giving security or
robustness enough of a thought.

--
Michael Mittelstadt           meek@execpc.com
VP - Internet Techologies     ExecPC Internet
http://www.execpc.com/~meek   1-800-ExecPC-1