Samsung SmartEther Authentication Failure Lets Remote Users Gain Administrative Access
|
|
SecurityTracker Alert ID: 1009947
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 26 2004
|
Impact: User access via network
|
Exploit Included: Yes
|
Version(s): SS6215S
|
Description: A vulnerability was reported in Samsung SmartEther switches. A remote user can gain administrative access to the switch.
Kyle Duren reported that a remote user can connect to the target device via telnet or the console interface and gain administrative
access without having the proper 'admin' password. The remote user can reportedly type 'admin' for the username and any combination
of letters or numbers or other characters (!@#$%^&*) to fill up the password buffer and then press enter to gain access to the system.
The
report indicates that the SS6215S 16-port layer 2 managed switches are affected.
|
Impact: A remote user can gain administrative access on the target device.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.samsung.com/ (Links to External Site)
|
Cause: Authentication error
|
Reported By: Kyle Duren <acidrain_ask@pixitha.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 26 Apr 2004 01:07:42 -0000
From: Kyle Duren <acidrain_ask@pixitha.com>
Subject: Samsung SmartEther SS6215S Switch
|
There is a vulnerability within the OS that this (and other) samsung
managed switches. The problem resides in the way that the admin user
is authenticated when trying to login using telnet (remote) or from
console (local). Now just so everyone who reads this knows, I am not
that up to date on all of these terms for this such thing.
Example:
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
Samsung Electronics Co., Ltd.
Enterprise Network Division
SmartEther Switch
login : admin
password: ****************
error: Password not matched.
password:
admin>
If you try to login as the "admin" user, and you do not have the
password, then all you need to do, is to type "admin" and then for the
password, use any combination of letters or numbers or !@#$%^&*, as
long as it fills up the entire "space" for the password it will work.
Then you hit enter again, after it tells you the password is incorrect.
You are now logged in. This works via telnet or via local
(hyperterminal). However this does not work, if you fill all of the
password space, and then delete one character.I have tried this on 2
SS6215S 16 port layer 2 managed switches and it works on both every
time.
This will not however let you "set" the admin password once you have
logged in. Example:
admin> passwd
old password : ****************
error: old password is not matched
admin>
If anyone has any other models of these switches or hubs I'd like to see
if this problem exists in other models.
Kyle Duren
|
|
