I will never forget the first time I cracked one of these backdoors. It was a central office telephone switch made by Harris. The company had purchased it used in Puerto Rico and did not want to pay Harris for software upgrades, they wanted to use the upgrades they had purchased for other Harris switches.
I discovered a pcb with some soldered jumpers that puzzled out to be the serial number hardware bound but physically changeable. After changing the serial number to match that of a legit switch the company owned I asked Harris to dial in and take a look at a problem, while they were dialing in I half tapped the rs-232 line and watched the login sequence. The password was Goldengate. That was quite a thrill. From that point on we could do an amazing amount of things with that switch as it had some software tools residing inside it. Prior to that time and since, I have always been against stealing software. I never used copies or allowed copies of mine in college (early PC days). But the boss wanted it done and wanted to impress the boss, who many years later became a business partner, who many years after that sued me, and then died, and the lawsuit is still going... From: Mike Hammett Sent: Saturday, November 12, 2016 7:52 AM To: [email protected] Subject: Re: [AFMUG] Trango Security Issue I would be surprised if *EVERY* platform didn't have some secret manufacturer backdoor, some just are better guarded than others. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP -------------------------------------------------------------------------------- From: "Jon Langeler" <[email protected]> To: [email protected] Sent: Saturday, November 12, 2016 8:44:59 AM Subject: Re: [AFMUG] Trango Security Issue It's not the first time that a manufacturer has a secret root account. It just got out Jon Langeler Michwave Technologies, Inc. On Nov 12, 2016, at 7:09 AM, Paul Stewart <[email protected]> wrote: Yikes…. [+] Credits: Ian Ling [+] Website: iancaling.com [+] Source: http://blog.iancaling.com/post/153011925478/ Vendor: ================= www.trangosys.com Products: ====================== All models. Newer versions use a different password. Vulnerability Type: =================== Default Root Account CVE Reference: ============== N/A Vulnerability Details: ===================== Trango devices all have a built-in, hidden root account, with a default password that is the same across many devices and software revisions. This account is accessible via ssh and grants access to the underlying embedded unix OS on the device, allowing full control over it. Recent software updates for some models have changed this password, but have not removed this backdoor. See source above for details on how the password was found. The particular password I found is 9 characters, all lowercase, no numbers: "bakergiga" Their support team informed me that there is a different password on newer devices. The password I found works on the following devices: -Apex <= 2.1.1 (latest) -ApexLynx < 2.0 -ApexOrion < 2.0 -ApexPlus <= 3.2.0 (latest) -Giga <= 2.6.1 (latest) -GigaLynx < 2.0 -GigaOrion < 2.0 -GigaPlus <= 3.2.3 (latest) -GigaPro <= 1.4.1 (latest) -StrataLink < 3.0 -StrataPro - all versions? Impact: The remote attacker has full control over the device, including shell access. This can lead to packet sniffing and tampering, bricking the device, and use in botnets. Disclosure Timeline: =================================== Vendor Notification: October 7, 2016 Public Disclosure: November 10, 2016 Exploitation Technique: ======================= Remote Severity Level: ================ Critical
