-
February 11th, 2002, 08:57 AM
#1
Vulnerability:HP AdvanceStack Switch Authentication Bypass
It has been reported that authentication for HP J3210A 10Base-T Switching Hubs may be bypassed by an unprivileged user who accesses one of the administrative web pages directly.
The attacker may allegedly change the superuser password of the device via this interface and gain access to the administrative facilities of the device.
HP AdvanceStack 10Base-T Switching Hubs combine 10Base-T functionality with the performance of switching.
Exploit: The following example was provided:
http://host/security/web_access.html
Remote: Yes
-
February 11th, 2002, 10:07 AM
#2
as far as i know that this product is Obsolete.... they have a new range of ProCurve products with a high security ... anyway
i work with HP in Jordan , and emailed one of the HP Networking consultants in Europe .. once he answer me i'll get back to u.
When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
-------------------------------------------------------------
I dream of giving birth to a child who will ask...... what was war?
-
February 11th, 2002, 10:16 AM
#3
Even if company regards their product as obsolete, it does not mean that they are not out there...
There are many systems which would still use an 'obsolete' product, a primary example being data entry systems... they do not require high throughput on the data..
If you looked, I'm certain one could find networks which are still using this product, and as such the vulnerability is still good to know about....
-Matty_Cross
\"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
But when you\'re good and crazy, hehe, the skies the limit!!\"
-
February 11th, 2002, 02:16 PM
#4
makes you wonder about all the other switches out there.
Trappedagainbyperfectlogic.
-
February 12th, 2002, 12:08 PM
#5
I will research our sources with your query to see if there is anything
known. Could you please provide me with exact details of the exploit as
reported by your friend?
The URL mentioned in your original post is most
likely local. If you have any screenshots or step by step process of the
hack, I would be most gratefull.
Awaiting your reply,
When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
-------------------------------------------------------------
I dream of giving birth to a child who will ask...... what was war?
-
February 12th, 2002, 03:48 PM
#6
Hello again s0nIc,
i had the answer for u , from our ProCurve Networking Department.
---------------------------------------------------------------------------------------------------------------
I found the exploit discussed in a newsgroup called bugtraq (see below) and
after testing it here it became clear what's going on. A user who is
configured for Read Only Access can obtain access to
http://host/security/web_access.html (host is the IP address of the hub) and
then compromise the Read-Write Access.
As far as my testing allowed, only a pre-configured Read Only user can
actually pull this trick. I will keep on playing with this issue and request
the lab's assistance.
Thanks for bringing this to our attention.
Take care,
HP ProCurve Networking
Here follows the bugtraq posting
========================================
Van:Tamer Sahin (ts@securityoffice.net)
Onderwerp:Hewlett Packard AdvanceStack Switch Managment Authentication
Bypass Vulnerability
Discussies:bugtraq
View: (This is the only article in this thread) | Original Format
Datum:2002-02-08 19:01:40 PST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hewlett Packard AdvanceStack Switch Managment Authentication Bypass
Vulnerability
Type:
Access Validation Error
Release Date:
February 8, 2002
Product / Vendor:
HP AdvanceStack 10Base-T Switching Hubs combine economical 10Base-T
functionality with the performance of switching. Each switching hub
starts out as a simple, single-segment, shared 10Base-T hub.
http://www.hp.com
Summary:
A problem with the HP switch allows some users to change
configuration of the switch. A bug introduced in the HP AdvanceStack
J3210A that could allow users full access on the switch. Upon taking
advantage of this vulnerability, the user could change the
configuration of the switch and could change admin password.
Therefore, it is possible for a superuser password changing with
unprivileged access on the switch to gain elevated privileges, and
potentially change configuration of the switch.
Exploit:
An attacker can get unauthorized access to the switch read/write
password change page this page http://host/security/web_access.html
and change superuser password. Connect superuser privileged via Web
or Telnet.
Tested:
HP J3210A AdvanceStack
Vulnerable:
HP J3210A AdvanceStack
Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.
Author:
Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net
Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPGOBeruLpFMrXtywEQKW3wCgqbksI86Ux1LfIDwmI7jyq3jX3JgAoPAB
lOcQNvFblLfg5xdxVm405wto
=d4o/
-----END PGP SIGNATURE-----
When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
-------------------------------------------------------------
I dream of giving birth to a child who will ask...... what was war?
-
February 14th, 2002, 10:17 AM
#7
hp switch
hello again,
The issue with the J3210A seems to have been addressed already, but was not
published yet. There are two workarounds, the procedure follows below. You
either disable web access, or the IP address.
WORKAROUND PROCEDURES (Use only one.)
1) DISABLE WEB ACCESS USING TELNET OR RS-232 INTERFACE
A) Telnet or console into switch
B) Type "me" for menu
C) Hit "7" for Connection Configuration
D) Hit "2" for Enable/Disable Web Access
2) REMOVE THE MANAGEMENT IP ADDRESS
A) Telnet or console into switch
B) Type "me" for menu
C) Hit "2" for IP/IPX Configuration
D) Hit "1" for Set IP Configuration
E) Hit "Y" to Change the IP configuration
F) Choose appropriate segment
G) Choose "D" to Disable
(Repeat F & G for each IP assigned-segment if necessary.)
WARNING! Disabling IP while connected via telnet will disconnect your
session
As this answers your question, I will close this case on our end.
Take care,
HP ProCurve Networking
When the power of Love overcomes the Love of power, the world will know peace... Jimi Hendrix
-------------------------------------------------------------
I dream of giving birth to a child who will ask...... what was war?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|