April 02, 2010
Cisco switch secret features
The cat's out of the bag, so to speak.
A while ago, I bought a Cisco/Linksys SRW2016 switch. It's a nice gigabit, managed, 16-port switch. I bought it for doing some silly things in the house like vlan tagging, and dealing with large amounts of traffic.
The switch can be managed via a serial port on the front, or by telnet or ssh. The switch runs vxWorks under the hood, has an ARM 946ET processor if I recall correctly. So it's fairly capable, and it could definitely run ucLinux if someone were so inspired to port the kernel to it (the processor inside the switch lacks an MMU, so running a 'normal' ARM variant of linux would not work).
When you SSH to the device, you can hit Ctrl+Z. This suspends the normal menu-driven system and gives a shell prompt. From there, you can execute a few commands. 'lcli' gives an IOS-like command-line. 'mcli' gives a SNMP trap and mib editor (which is password protected, the passwords aren't published). 'debug' gives a very weird debugger, which allows you poke at i2c (it's definitely not your father's process debugger, I don't really get it). 'debug' is also password-protected.
I managed to extract the passwords from my device. I did it by un-ROS'ing a firmware update I downloaded from Cisco. I stared at the binaries extracted from this and figured out that they were lempel-ziv compressed, so I decompressed them. I was then able to find the accounts for the switch stored in one of the binary files (no disassembly needed, I just searched for strings, so hopefully I am clear of any wrongdoing with respect to the EULA that came with the firmware).
I was a little shocked about a few things: the passwords are stored in plaintext on the switch. In fact, all of the switch passwords, including normal user accounts, have their passwords stored in plaintext it seems. Bad, Cisco. Very bad, especially when the switch is already running openSSL. How hard would it be to store hashes of passwords? Second, I'm surprised that these features were left in at all. It doesn't seem like they were intended. They look like developer cruft. Tracking the communication that occurs between chips on the switch is probably not something the average admin cares to do.
I posted the passwords for these special functions on the LCLI wiki. Note that you need an account to log in to the switch with, so these aren't security bypasses. They would probably allow the ambitious to do a thorough RE job on the switch, though, without having to invest in hardware like a Bus Pirate.
Hi George -
The 'unros.pl' perl script is available here:
http://stuff.zoiah.net/doku.php?id=accton:unros.pl
That will extract the firmware as the first step. You'll then need to use un-lzma the output file (7-zip works nicely if you're on windows, if you're on a *nix system there are probably lzma utilities available via your package manager).
Posted by: Reid on March 27, 2011 02:07 PMPost a comment
Further back...
ArchivesFriends and Family
Search
Previous Trips...
-
Hiking Mount Whitney, 2007 
Spring Break in West Virginia, 2005
New Year's in Paris, 2003-2004
Coming to America, 2003
Protesting in Berlin, 2003
Prague Bier-Tour, 2002
Dresden, 2002
Recent Reading
![]()
Stealing the Network
I first bumped into the Stealing the Network series when reading the exploits of Joe Grand, one of the book's many hacker authors.
The 'Stealing the ...' series of books follows a rather disparate group of computer hackers as they help a former NSA spook (many of them unwittingly) gather the money he needs to retire.
The stories themselves are not fantastic fiction. The writing is uneven and choppy, the characters are stereotypical and not very well thought-out. What is fascinating about this book series is the technical accuracy of the exploits (at some points *too* accurate, with screen shots and step-by-step instructions).
It's a great series to read if you're a system administrator, or just getting into the wonderful field of computer security.
Rated 
by reid
on March 06, 2011
by reid
on March 06, 2011
![]()
Close to the Machine
Ellen Ullman is one of those authors that somehow avoided my radar. Until now...
Close to the Machine is less a book than a collection of loosely related personal anecdotes from Ellen's time as a very rare thing -- a successful female bisexual independent computer programming consultant.
In the course of her work and relationship life, she learns hard lessons about programming, running a business, being lonely, and loving the wrong people. I found it particularly poignant being a crypto-nerd with difficult times in relationships and a more-or-less NDA'd, secret work life.
This book is a must-read for anyone into running their own business, programming, or anyone dating a person that is a business-a-holic or programmer.
Rated 
by reid
on November 23, 2009
by reid
on November 23, 2009
![]()
The Long Trip Home
I had the joy of dining with the author in Florida. We went to a little Brazilian BBQ where he spoke with our waitstaff in (what I can only assume was) flawless Portugese.
Brian Wyllie spent 1969-1971 living in Brazil working for the Peace Corps. His recent book outlines his trip back to the United States via Bolivia, Peru, and the Carribean chain, by way of bus, train, and sailboat. The format comes spattered with observations from the modern day, and makes me think, "this must be what John McPhee's journal looks like."
The trip sounded like a fantastic one, but I was left wanting more detail...where did the gun (being snuck through customs in a variety of places, no doubt) come from? And how did Geneve's hair smell? Alas, we'll have to wait for another book to find the answers.
Rated by reid
on April 16, 2009
by reid
on April 16, 2009
A bit late, but I'm curious how exactly you were able to decompress the .ros file. If you could throw me some insight to that, I would appreciate it.
Posted by: George Stipe on March 25, 2011 12:08 AM