You Hardcoded What!?

anon595438 · 2016-01-12T22:57:30.000Z

We all had a good kick out of this (after it was resolved that is).

Recently took over a facility’s IT needs over a year ago. Updating a bunch of old hardware, software, infrastructure, etc. One nice day all of sudden an external clinic calls saying they had a small power outage and the wireless was down. Verified with staff AP was on, but kept power cycling. All other APs in the organization are just fine. On the controller verified the AP was not connecting. Myself and another staff member were going to run out to troubleshoot and thought we would prep another AP we had in the office as a spare. Turned off hot spare, pulled off mount and decided to test it just to verify it connect back to the controller and capture healthy logs that we can use to troubleshoot the other “bad” AP. Re-plugged in spare AP and now it does not connect to the controller?

Consoled into the spare and saw some logs about a certificate that was out of date. Okay, we thought, this setup just probably had a cert. we missed updating when we re-up’d our certs. Searched ALL over the controller and all the certs were up to date. Pounding on the research and vendor site. Low and behold we stumbled on a small paragraph deep…deep in a dark cave of the vendor release notes for the version that had a unique “feature”. A cert used for AP to controller communication, not visible via command or UI, and amazingly hard coded with a 10 year expiration which was up 2 days ago. Any AP that reboots will not be able to create a new session connections with the controller. Disabled NTP, manually set clock back a couple of year, and moved the controller refresh project higher on our project list…a lot higher

Any other fantastic hard coding stories? XD

Neally · 2016-01-12T23:05:43.000Z

Dang respect for being thorough on going through the documentation.

trelstadtech · 2016-01-12T23:10:51.000Z

I bet they never dreamed those AP’s would last 10 years!

anon595438 · 2016-01-12T23:14:36.000Z

Sid Phiilips:

I bet they never dreamed those AP’s would last 10 years!

A couple of week before, our crew were wondering how long some of these systems were in place. We found an answer to at least one

Rivitir · 2016-01-12T23:19:11.000Z

Wow… that is sad… and dumb. Awesome job figuring it out though.

Mike400 · 2016-01-13T00:03:47.000Z

You’re probably the first person to ever read the documentation on that AP.

brendanrichardson2 · 2016-01-13T00:28:25.000Z

documentation. whats that?

trelstadtech · 2016-01-13T01:16:52.000Z

Mike400:

You’re probably the first person to ever read the documentation on that AP.

Omg, can’t you just see it? After about 20 minutes of jacking with it, in the trash it went! Pretty sure that’s what I would have done.

robhall · 2016-01-13T01:19:15.000Z

Reminds me of the hard-coded back door discovered in in Juniper’s ScreenOS a few weeks ago:

ZDNET

Juniper ScreenOS devices had default backdoor password: Rapid7

Analysis by security company Rapid7 has revealed that anyone who knew a backdoor password in Juniper ScreenOS devices only had to know a valid username to log in.

apsutcliffe · 2016-01-13T08:45:52.000Z

I was introduced to an old green screen program working on an AS/400. The developers had hardcoded an administrative account; username = admin, password = admin.

There was a “user” account called “Administrator”; but no-one used that. The staff were supposed to be using individual accounts that had to be set-up for them; but they mostly were using the hardcoded admin account. We couldn’t even change the password on it.

dennisbarr · 2016-01-13T12:30:10.000Z

Great bit of detective work. Sometimes it’s all in the details, printed in tiny text, buried under fifteen other footnotes, etc., etc.

Hard-coding anything is pretty well frowned on anymore. It’s great to know that at least there’s been SOME progress in the way we program…

techelp · 2016-01-13T12:55:46.000Z

Good job on finding that. Sometimes I wonder what goes through the minds of vendors when they write this. Any reason for a 10 year expiration?

corey901 · 2016-01-13T14:07:30.000Z

Techelp:

Good job on finding that. Sometimes I wonder what goes through the minds of vendors when they write this. Any reason for a 10 year expiration?

There is a reason, built in obsolescence. While it is a rare piece of long term thinking by that company, it almost guarantees a new purchase when it expires. It is still kind of shady to build something like that.

stopthenoise · 2016-01-13T14:32:55.000Z

After a max of an hour, I would have binned it and replaced it. Cudo’s on the nice detective work (and finding the manual for a 10 year old device!)

anon595438 · 2016-01-13T18:20:55.000Z

robhall:

Reminds me of the hard-coded back door discovered in in Juniper’s ScreenOS a few weeks ago:

http://www.zdnet.com/article/juniper-screenos-devices-had-default-backdoor-password-rapid7/

Ya, that was an interesting read

anon595438 · 2016-01-13T18:26:38.000Z

Captain Frostbyte:

After a max of an hour, I would have binned it and replaced it. Cudo’s on the nice detective work (and finding the manual for a 10 year old device!)

I wish we could do that sometimes. This situation unfortunately the problem cert is on the controllers which would be a nightmare to replace same day.

biscuitking · 2016-01-14T12:36:16.000Z

We recently had to replace a java plugin on our website because the there was a cert on it (from the software vendor) that expired.