 |
|
|
About
'Blogs
Read
Syndicate
Resumes
Academia
Powered by
|
April 02, 2010Cisco switch secret featuresThe cat's out of the bag, so to speak. A while ago, I bought a Cisco/Linksys SRW2016 switch. It's a nice gigabit, managed, 16-port switch. I bought it for doing some silly things in the house like vlan tagging, and dealing with large amounts of traffic. The switch can be managed via a serial port on the front, or by telnet or ssh. The switch runs vxWorks under the hood, has an ARM 946ET processor if I recall correctly. So it's fairly capable, and it could definitely run ucLinux if someone were so inspired to port the kernel to it (the processor inside the switch lacks an MMU, so running a 'normal' ARM variant of linux would not work). When you SSH to the device, you can hit Ctrl+Z. This suspends the normal menu-driven system and gives a shell prompt. From there, you can execute a few commands. 'lcli' gives an IOS-like command-line. 'mcli' gives a SNMP trap and mib editor (which is password protected, the passwords aren't published). 'debug' gives a very weird debugger, which allows you poke at i2c (it's definitely not your father's process debugger, I don't really get it). 'debug' is also password-protected. I managed to extract the passwords from my device. I did it by un-ROS'ing a firmware update I downloaded from Cisco. I stared at the binaries extracted from this and figured out that they were lempel-ziv compressed, so I decompressed them. I was then able to find the accounts for the switch stored in one of the binary files (no disassembly needed, I just searched for strings, so hopefully I am clear of any wrongdoing with respect to the EULA that came with the firmware). I was a little shocked about a few things: the passwords are stored in plaintext on the switch. In fact, all of the switch passwords, including normal user accounts, have their passwords stored in plaintext it seems. Bad, Cisco. Very bad, especially when the switch is already running openSSL. How hard would it be to store hashes of passwords? Second, I'm surprised that these features were left in at all. It doesn't seem like they were intended. They look like developer cruft. Tracking the communication that occurs between chips on the switch is probably not something the average admin cares to do. I posted the passwords for these special functions on the LCLI wiki. Note that you need an account to log in to the switch with, so these aren't security bypasses. They would probably allow the ambitious to do a thorough RE job on the switch, though, without having to invest in hardware like a Bus Pirate.
Posted by reid at 09:39 PM
| Comments (2)
|
Paris
USA
Berlin
Prague
Dresden
Archives
August 2011
July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 October 2010 September 2010 April 2010 March 2010 February 2010 December 2009 November 2009 October 2009 September 2009 August 2009 April 2009 March 2009 February 2009 January 2009 November 2008 October 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 December 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002
Search
About
|
