COMMAND

    Intel NetStructure

SYSTEMS AFFECTED

    Intel NetStructure 7110 (previously the Ipivot Commerce Accelerator 1000)

PROBLEM

    Following  is  based  on   L0pht  Research  Labs  Advisory.    The
    NetStructure 7110 can  be compromised via  the admin console  even
    after  the  admin  password  has  been  changed.   An undocumented
    command list  exists known  as 'wizard'  mode.   Through this mode
    there is a  password that overides  the admin password  and allows
    full access to the  internal components of the  NetStructure 7110.
    This  password  can  be  used  from  within the admin command line
    interface or  to overide  the admin  password at  an initial login
    prompt.

    This  undocumented  shell  password  is  derived  from the primary
    ethernet MAC address  of the NetStructure  7110.  During  the boot
    process and  before every  login, the  serial number  (the primary
    ethernet MAC  address), is  presented to  the user  on the console
    port.  Running the MAC address into our Ipivot password  generator
    will  supply  the  user  with  a  default  shell  password.    The
    mechanism to change this  shell password is undocumented  as well.
    The shell password  gains the console  operator root privleges  on
    the Ipivot with access to gdb, tcpdump, among other utilities  and
    xmodem to upload other tools.

    The NetStructure  7110, was  originally a  product of  Ipivot, and
    named the Ipivot Commerce Accelerator 1000.  The oversight affects
    NetStructure 7110 as shipped in April 2000.

        -The administrator password  is overridden by  an undocumented
         shell password.
        -The shell password is  derived from the primary  ethernet MAC
         address of the NetStructure 7110.
        -In most of the  command interface for the  NetStructure 7110,
         interrupts are ignored.  However, the password prompt section
         does not block interrupts.  When an interrupt is received  in
	     this section, the initial login banner is re-displayed.  This
         banner contains the  ethernet address of  the machine.   This
         banner is also displayed after power-cycling or when  exiting
         a valid session.
        -The method to change the shell password is undocumented.
        -Additionally,  The  shell  password  is  recoverable from the
         'admin' account.   The running  configuration file  does  not
         contain  an  explicit  entry  for  the shell password.  Thus,
         initial runs of the 'show config' do not display any elements
         referencing the  shell password.   However, by  attempting to
         change the shell password via the 'shpass' command, the entry
         is created.  This happens  even if the attempt to  change the
         password failed.  Subsequent calls to 'show config' will  now
         show the shell password.  The steps to recreate this follow:
            1. enter wizard mode by typing 'wizard'
            2. attempt to change  the shell password via  the 'shpass'
               command.
            3. show the new config via the 'show config' command

    This leaves  all Ipivot/NetStructure  7110's with  an undocumented
    backdoor which can be  accessed through the console  port, gaining
    the  unauthorized  user  root  privledges  on the box, above those
    privledges  granted  to  the  admin  password  holder.  A few data
    points make this problem particularly disturbing:

        - The  Ipivot is  the device  converting https  (encrypted) to
          http (unencrypted).
        - Network sniffing  utilities are installed  on the Ipivot  by
          default.
        - The secret material that  the password is derived from  (the
          ethernet address) can be forced to be displayed at the login
          prompt.
        - The console port is recommended  to be hooked up to a  modem
          in order to perform remote management.

    L0pht will make the proof of concept tools available 5-15-2000  to
    independently verify  and address  the problem.    PalmOS  prc and
    unix source available at:

        http://www.l0pht.com/advisories/ipivot.tar.gz

SOLUTION

    1.  Change the admin password after the first login.
    2.  Next, Type 'wizard'.   You are now in an undocumented  command
        mode.
    3.  Type 'shpass' and change the shell password.  Warning: Do  not
        set the shell password to the same as the cli password.
    4.  Type 'config save'.

    The wizard mode has been known in the computer security  community
    for many months.

    As a result of this advisory Intel has:

        1. Setup  a security-info  mail account  which one  can notify
           Intel  of  security  issues  on  their  product,  where one
           previously did not exist.
        2. Provided patches for all customers at the following URL:
               http://216.188.41.136
           or through  an 800  number for  customers with  maintenance
           agreements.