@Stake Inc.
                          L0pht Research Labs
                    www.atstake.com     www.L0pht.com

                           Security Advisory                             


    Advisory Name: NetStructure 7180 remote backdoor vulnerability

     Release Date: May 8th, 2000
      Application: Intel NetStructure 7180 (previously the Ipivot 
                   Commerce Accelerator 8000
         Severity: Compromise from a remote network is possible. 
                   Compromise from the local serial console port is a shoe
                   in.  Root access is attainable through either avenue.
           Status: Vendor Contacted, publicly released.

    Full Advisory: http://www.l0pht.com/advisories/ipivot7180.html

           Author: oblivion@atstake.com
           Thanks: dildog@atstake.com




Overview:
---------


     The NetStructure 7180 can be compromised via the admin console 
even after the admin password has been changed.  Root access can be
obtained via the Internet when used in a poorly configured or default
configuration.  Additionally, web based management authentication is
done in the clear.


     The NetStructure 7180 has two undocumented accounts, servnow and
root, each with a password generated from the MAC address of the primary
interface.  By default, the NetStructure 7180 has an SNMP daemon running
with a default community string of 'public'.  Through this service one
can determine the local MAC address without being on the local network
segment.  These accounts are afforded administrative access to the system,
session keys, private certificates, a network sniffer, and other 
utilities.  Through the use of the proof of concept code referenced 
below, one can log in and change the passwords to these accounts
thereby eliminating the backdoors.


Description:
------------


     The NetStructure 7180 was originally a product of Ipivot, and 
named the Ipivot Commerce Director 8000.  The oversight affects 
NetStructure 7180 as shipped in April 2000.


   -The administrator password is overridden by an undocumented servnow 
    and root password.

   -The root and servnow password are derived from the primary ethernet 
    MAC address of the NetStructure 7180.

   -By SNMPwalk'ing the NetStructure 7180, one can obtain the MAC address.

   -The method to change the root or servnow password is undocumented.


     This leaves all NetStructure 7180's with an undocumented backdoor
which can be accessed through the console port, gaining the unauthorized
user root privileges on the box.  In the case of a poorly configured 
unit, or a unit left in the default management configuration, one can 
access the system over the Internet.  A few data points make this problem
particularly disturbing:


                . The NetStructure 7180 is the device converting https 
                  (encrypted) to http (unencrypted).
                  to http (unencrypted).

                . The web based management is done in the clear (which
                  is confusing to find in a device designed to handle
                  encrypted communications.)

                . Network sniffing utilities are installed on the Ipivot
                  by default.

                . configuration over telnet is preferred in the user 
                  documentation.

                . The secret material that the password is derived from
                  is the ethernet address of the public interface.

                . A SNMP daemon is part of the default configuration with
                  a community string of 'public'.

                . The administration client can be easily obtained and
                  reconstituted into completely readable and recompile-
                  able code using publicly available tools and methods.


Recommended fix:
----------------

1.  Change the admin password after the first login.

2.  Login to the Ipivot as root, after obtaining the password from the 
    Ipivot password generator.

3.  After logging in, change the root passowrd by issuing a 'passwd' at
    the command prompt.  Choose a strong password and do not forget it,
    as Intel Service personnel no longer have a way to remotely service
    the box.

4.  Next issue a 'passwd servnow' at the command prompt to change the
    servnow account.  Again, choose a strong password and do not forget 
    it.

5.  Try to refrain from configuring the system outside of the cli and
    web based management interfaces.  Doing so may break things and 
    completely void your warranty, above and beyond what you may have
    already performed by closing these backdoors. 



Involved solution:
------------------

Aside from changing the passwords you may want to shut down certain
functionality of the ipivot if not being used.  In the documentation
we were supplied these steps were not highlighted.


     - turn off CLI telnet access.

       enter: config sys security custom telnet disable

     - turn off SNMP if you do not need the statistics. 

       enter: config sys security custom snmp disable

     - If you would like SNMP, lock down SNMP reads and traps to the
       specific IP's of logging hosts or administration machines.

       enter: config sys snmp community create mib_name ip xxx.xxx
              .xxx.xxx rights ro

       enter: config sys snmp trap create xxx.xxx.xxx.xxx community
              community_string

     - turn off GUI access unless absolutely needed.

       enter: config sys security custom gui disable

     - If you decide to use the gui, change the management
       to something other than the default of port 1095.

       enter:  config admin port xxxx

     - turn on Access Control Lists (ACL) and restrict management 
       functionality to either your IP. 

       enter: config sys security custom access-control enabled

       enter:  config sys security custom acl add ip xxx.xxx.xxx.xxx 
               or for a subnet entirely under your control. 

       enter: config sys security custom acl add netmask xxx.xxx.xxx
              .xxx/x


Vendor Response:
----------------


As a result of this advisory Intel has:

        1.  Setup a security-info mail account which one can notify
            Intel of security issues on their product, where one
            previously did not exist.

        2.  Provided patches for all customers at the following URL:
            http://216.188.41.136 or through an 800 number for customers
            with maintenance agreements.

        Although we were surprised that Intel had no central mechanism to      
 
        handle security reports on their product lines, we applaud them
        in creating such a service and encourage other manufacturers to        
        follow suit.   


Intel's email response:


>
> --------------------------------------------
> 7180 Vendor Comments
>
> Intel Corporation takes all comments and publications about the
> security of our equipment seriously.  The solutions offerred in the
> security alert highlight many of the security recommendations already
> present in the user documentation.  In addition,  Intel has proactively
> produced an 'update' which will do the following:
>
>
> Overview
>
> This update allows a customer to set the super user (root) password
> and restrict access to the servnow account without assistance from
> customer service. Logging in as super user allows unrestricted access
> to the unit and must be strictly controlled.
>
> Applicability
>
> This update is applicable to Intel NetStructure 7180 systems running
> software version 2.2.x or 2.3.x.  The update may also be installed on
> IPivot 8000 systems running software version 2.2.x or 2.3.x.
>
> Availability
>
> The update and documentation are available at the following location:
> http://216.188.41.136.  In addition, information requests can be sent
> to security-info@ned.intel.com.
>
>



Proof of concept tools:
-----------------------

We will make the proof of concept tools available 5-15-2000 to
independently
verify and address the problem.


PalmOS prc and unix source available at:
http://www.l0pht.com/advisories/ipivot.tar.gz