Vulnerability:HP AdvanceStack Switch Authentication Bypass
Results 1 to 7 of 7

Thread: Vulnerability:HP AdvanceStack Switch Authentication Bypass

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability:HP AdvanceStack Switch Authentication Bypass

    It has been reported that authentication for HP J3210A 10Base-T Switching Hubs may be bypassed by an unprivileged user who accesses one of the administrative web pages directly.


    The attacker may allegedly change the superuser password of the device via this interface and gain access to the administrative facilities of the device.

    HP AdvanceStack 10Base-T Switching Hubs combine 10Base-T functionality with the performance of switching.

    Exploit: The following example was provided:
    http://host/security/web_access.html

    Remote: Yes

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    Thumbs up

    as far as i know that this product is Obsolete.... they have a new range of ProCurve products with a high security ... anyway
    i work with HP in Jordan , and emailed one of the HP Networking consultants in Europe .. once he answer me i'll get back to u.
    When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
    -------------------------------------------------------------
    I dream of giving birth to a child who will ask...... what was war?

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    831
    Even if company regards their product as obsolete, it does not mean that they are not out there...

    There are many systems which would still use an 'obsolete' product, a primary example being data entry systems... they do not require high throughput on the data..

    If you looked, I'm certain one could find networks which are still using this product, and as such the vulnerability is still good to know about....
    -Matty_Cross
    \"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
    But when you\'re good and crazy, hehe, the skies the limit!!\"

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    makes you wonder about all the other switches out there.
    Trappedagainbyperfectlogic.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    Question

    I will research our sources with your query to see if there is anything
    known. Could you please provide me with exact details of the exploit as
    reported by your friend?
    The URL mentioned in your original post is most
    likely local. If you have any screenshots or step by step process of the
    hack, I would be most gratefull.

    Awaiting your reply,
    When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
    -------------------------------------------------------------
    I dream of giving birth to a child who will ask...... what was war?

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    Talking

    Hello again s0nIc,

    i had the answer for u , from our ProCurve Networking Department.
    ---------------------------------------------------------------------------------------------------------------
    I found the exploit discussed in a newsgroup called bugtraq (see below) and
    after testing it here it became clear what's going on. A user who is
    configured for Read Only Access can obtain access to
    http://host/security/web_access.html (host is the IP address of the hub) and
    then compromise the Read-Write Access.

    As far as my testing allowed, only a pre-configured Read Only user can
    actually pull this trick. I will keep on playing with this issue and request
    the lab's assistance.

    Thanks for bringing this to our attention.

    Take care,

    HP ProCurve Networking


    Here follows the bugtraq posting
    ========================================

    Van:Tamer Sahin (ts@securityoffice.net)
    Onderwerp:Hewlett Packard AdvanceStack Switch Managment Authentication
    Bypass Vulnerability
    Discussies:bugtraq
    View: (This is the only article in this thread) | Original Format
    Datum:2002-02-08 19:01:40 PST


    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hewlett Packard AdvanceStack Switch Managment Authentication Bypass
    Vulnerability

    Type:
    Access Validation Error

    Release Date:
    February 8, 2002

    Product / Vendor:
    HP AdvanceStack 10Base-T Switching Hubs combine economical 10Base-T
    functionality with the performance of switching. Each switching hub
    starts out as a simple, single-segment, shared 10Base-T hub.

    http://www.hp.com

    Summary:
    A problem with the HP switch allows some users to change
    configuration of the switch. A bug introduced in the HP AdvanceStack
    J3210A that could allow users full access on the switch. Upon taking
    advantage of this vulnerability, the user could change the
    configuration of the switch and could change admin password.

    Therefore, it is possible for a superuser password changing with
    unprivileged access on the switch to gain elevated privileges, and
    potentially change configuration of the switch.

    Exploit:
    An attacker can get unauthorized access to the switch read/write
    password change page this page http://host/security/web_access.html
    and change superuser password. Connect superuser privileged via Web
    or Telnet.

    Tested:
    HP J3210A AdvanceStack

    Vulnerable:
    HP J3210A AdvanceStack

    Disclaimer:
    http://www.securityoffice.net is not responsible for the misuse or
    illegal use of any of the information and/or the software listed on
    this security advisory.

    Author:
    Tamer Sahin
    ts@securityoffice.net
    http://www.securityoffice.net

    Tamer Sahin
    http://www.securityoffice.net
    PGP Key ID: 0x2B5EDCB0

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQA/AwUBPGOBeruLpFMrXtywEQKW3wCgqbksI86Ux1LfIDwmI7jyq3jX3JgAoPAB
    lOcQNvFblLfg5xdxVm405wto
    =d4o/
    -----END PGP SIGNATURE-----
    When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
    -------------------------------------------------------------
    I dream of giving birth to a child who will ask...... what was war?

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    Lightbulb hp switch

    hello again,

    The issue with the J3210A seems to have been addressed already, but was not
    published yet. There are two workarounds, the procedure follows below. You
    either disable web access, or the IP address.

    WORKAROUND PROCEDURES (Use only one.)
    1) DISABLE WEB ACCESS USING TELNET OR RS-232 INTERFACE
    A) Telnet or console into switch
    B) Type "me" for menu
    C) Hit "7" for Connection Configuration
    D) Hit "2" for Enable/Disable Web Access


    2) REMOVE THE MANAGEMENT IP ADDRESS
    A) Telnet or console into switch
    B) Type "me" for menu
    C) Hit "2" for IP/IPX Configuration
    D) Hit "1" for Set IP Configuration
    E) Hit "Y" to Change the IP configuration
    F) Choose appropriate segment
    G) Choose "D" to Disable
    (Repeat F & G for each IP assigned-segment if necessary.)
    WARNING! Disabling IP while connected via telnet will disconnect your
    session

    As this answers your question, I will close this case on our end.

    Take care,


    HP ProCurve Networking
    When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
    -------------------------------------------------------------
    I dream of giving birth to a child who will ask...... what was war?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides