@Stake Inc. L0pht Research Labs www.atstake.com www.L0pht.com Security Advisory Advisory Name: NetStructure 7180 remote backdoor vulnerability Release Date: May 8th, 2000 Application: Intel NetStructure 7180 (previously the Ipivot Commerce Accelerator 8000 Severity: Compromise from a remote network is possible. Compromise from the local serial console port is a shoe in. Root access is attainable through either avenue. Status: Vendor Contacted, publicly released. Full Advisory: http://www.l0pht.com/advisories/ipivot7180.html Author: oblivion@atstake.com Thanks: dildog@atstake.com Overview: --------- The NetStructure 7180 can be compromised via the admin console even after the admin password has been changed. Root access can be obtained via the Internet when used in a poorly configured or default configuration. Additionally, web based management authentication is done in the clear. The NetStructure 7180 has two undocumented accounts, servnow and root, each with a password generated from the MAC address of the primary interface. By default, the NetStructure 7180 has an SNMP daemon running with a default community string of 'public'. Through this service one can determine the local MAC address without being on the local network segment. These accounts are afforded administrative access to the system, session keys, private certificates, a network sniffer, and other utilities. Through the use of the proof of concept code referenced below, one can log in and change the passwords to these accounts thereby eliminating the backdoors. Description: ------------ The NetStructure 7180 was originally a product of Ipivot, and named the Ipivot Commerce Director 8000. The oversight affects NetStructure 7180 as shipped in April 2000. -The administrator password is overridden by an undocumented servnow and root password. -The root and servnow password are derived from the primary ethernet MAC address of the NetStructure 7180. -By SNMPwalk'ing the NetStructure 7180, one can obtain the MAC address. -The method to change the root or servnow password is undocumented. This leaves all NetStructure 7180's with an undocumented backdoor which can be accessed through the console port, gaining the unauthorized user root privileges on the box. In the case of a poorly configured unit, or a unit left in the default management configuration, one can access the system over the Internet. A few data points make this problem particularly disturbing: . The NetStructure 7180 is the device converting https (encrypted) to http (unencrypted). to http (unencrypted). . The web based management is done in the clear (which is confusing to find in a device designed to handle encrypted communications.) . Network sniffing utilities are installed on the Ipivot by default. . configuration over telnet is preferred in the user documentation. . The secret material that the password is derived from is the ethernet address of the public interface. . A SNMP daemon is part of the default configuration with a community string of 'public'. . The administration client can be easily obtained and reconstituted into completely readable and recompile- able code using publicly available tools and methods. Recommended fix: ---------------- 1. Change the admin password after the first login. 2. Login to the Ipivot as root, after obtaining the password from the Ipivot password generator. 3. After logging in, change the root passowrd by issuing a 'passwd' at the command prompt. Choose a strong password and do not forget it, as Intel Service personnel no longer have a way to remotely service the box. 4. Next issue a 'passwd servnow' at the command prompt to change the servnow account. Again, choose a strong password and do not forget it. 5. Try to refrain from configuring the system outside of the cli and web based management interfaces. Doing so may break things and completely void your warranty, above and beyond what you may have already performed by closing these backdoors. Involved solution: ------------------ Aside from changing the passwords you may want to shut down certain functionality of the ipivot if not being used. In the documentation we were supplied these steps were not highlighted. - turn off CLI telnet access. enter: config sys security custom telnet disable - turn off SNMP if you do not need the statistics. enter: config sys security custom snmp disable - If you would like SNMP, lock down SNMP reads and traps to the specific IP's of logging hosts or administration machines. enter: config sys snmp community create mib_name ip xxx.xxx .xxx.xxx rights ro enter: config sys snmp trap create xxx.xxx.xxx.xxx community community_string - turn off GUI access unless absolutely needed. enter: config sys security custom gui disable - If you decide to use the gui, change the management to something other than the default of port 1095. enter: config admin port xxxx - turn on Access Control Lists (ACL) and restrict management functionality to either your IP. enter: config sys security custom access-control enabled enter: config sys security custom acl add ip xxx.xxx.xxx.xxx or for a subnet entirely under your control. enter: config sys security custom acl add netmask xxx.xxx.xxx .xxx/x Vendor Response: ---------------- As a result of this advisory Intel has: 1. Setup a security-info mail account which one can notify Intel of security issues on their product, where one previously did not exist. 2. Provided patches for all customers at the following URL: http://216.188.41.136 or through an 800 number for customers with maintenance agreements. Although we were surprised that Intel had no central mechanism to handle security reports on their product lines, we applaud them in creating such a service and encourage other manufacturers to follow suit. Intel's email response: > > -------------------------------------------- > 7180 Vendor Comments > > Intel Corporation takes all comments and publications about the > security of our equipment seriously. The solutions offerred in the > security alert highlight many of the security recommendations already > present in the user documentation. In addition, Intel has proactively > produced an 'update' which will do the following: > > > Overview > > This update allows a customer to set the super user (root) password > and restrict access to the servnow account without assistance from > customer service. Logging in as super user allows unrestricted access > to the unit and must be strictly controlled. > > Applicability > > This update is applicable to Intel NetStructure 7180 systems running > software version 2.2.x or 2.3.x. The update may also be installed on > IPivot 8000 systems running software version 2.2.x or 2.3.x. > > Availability > > The update and documentation are available at the following location: > http://216.188.41.136. In addition, information requests can be sent > to security-info@ned.intel.com. > > Proof of concept tools: ----------------------- We will make the proof of concept tools available 5-15-2000 to independently verify and address the problem. PalmOS prc and unix source available at: http://www.l0pht.com/advisories/ipivot.tar.gz