Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: 3com3.htm

3Com's Software for HiperARC passwordless adm logon



Vulnerability

    3COM's software for HiperARC

Affected

    Systems using 3COM's software for HiperARC

Description

    Entropy found following.  The software that 3com has developed for
    running the  HiperARC is  a bit  shady.   You will  notice a login
    account called  "adm" with  no password.   Naturally no  one wants
    the "adm" login there, so  they delete it from the  configuration,
    and go on programming the box.   Once the box has been  programmed
    and is ready to take calls, it is necessary to save all  settings,
    and  hardware  reset  the  box,  at  this  point  the box is fully
    configured, and  ready to  take calls.   The problem  is this, the
    "adm"  login  requiring  no  password,  is  still  there after the
    hardware reset!!!  It cannot be deleted!

    The admin that programmed  the box has no  reason to go back  into
    the configuration after doing  the hardware reset, he  has already
    gone over and double checked  his settings, they all looked  good,
    and hardware reset has gone into action as the last step.., he has
    no clue that the "adm" he has deleted is still there, and active.

Solution

    In order to stop the "adm"  login one can only dis-able the  "adm"
    login, not delete  it....this is the  only way to  stop the login.
    The 'adm' user is no different  than the manage user on the  older
    Netserver  product.   Both  are  clearly  described in the release
    notes that they  come with no  password set.   This information is
    posted on the Totalservice along with the 4.1.11 code:

        ftp://totalservice.usr.com/pub/.docs/config.txt

    The difference on the  newer HARC cards is  that you can add  more
    manage users and  disable the adm  if so desired.   The fact  that
    people don't read documentation when they install new software  is
    the cause of  this problem.   The latest release  of code 4.1.72-7
    (located on the Totalservice web  site) has the ability to  delete
    the "adm" user and it will not come back after a reboot.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH