What's inside a Force10 firmware?

I'm working with Dell Force10 switches and noticed that for S25N / S50N models there hasn't been a new firmware released since 2012. The current firmware has version 8.4.2.7.
For S4810 models the current firmware is version 9.6.0.0 from 2014. What has changed since the 8.x releases. Let's compare them.

So from a security perspective, it's interesting to know what's inside a Force10 firmware, as their switches can also handle several routing protocols, DHCP, FTP, SSH and so on. Are these services vulnerable to known security bugs?

As stated at http://en.wikipedia.org/wiki/FTOS the Force10 OS 'FTOS' (aka DNOS - Dell Networking Operating System) is based on NetBSD. Does Dell include the latest security updates for the OS and its services?

I try to find out details by executables, scripts and strings which can be found inside the firmware. Currently I have only access to production systems and no spare hardware for testing.

This is work in progress.

Preparation

Install Binwalk v2.1.0:

cd ~  
git clone https://github.com/devttys0/binwalk.git  
python setup.py build  
cd ..  
Get firmware

You can download the S series 8.x and 9.x firmwares at https://www.force10networks.com/CSPortal20/. A support account is required (which you might already got when you bought your Force10 switches).

Firmware 8.4.2.7 for S25N / S50N

Create and enter working directory:

mkdir ftos_debug_8.4.2.7  
cd ftos_debug_8.4.2.7  

Extract firmware:

~/binwalk/src/scripts/binwalk -e FTOS-SB-8.4.2.7.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION  
--------------------------------------------------------------------------------
139           0x8B            LZMA compressed data, properties: 0x51, dictionary size: 33554432 bytes, uncompressed size: 28771 bytes  
304           0x130           gzip compressed data, maximum compression, has original file name: "netbsd.BACARDI.bin.1722", from Unix, last modified: 2012-09-27 21:02:34  
3366640       0x335EF0        gzip compressed data, maximum compression, from Unix, last modified: 2012-09-27 21:07:40  
13483195      0xCDBCBB        gzip compressed data, maximum compression, from Unix, last modified: 2012-09-27 21:07:45  

Search for interesting stuff:

cd _FTOS-SB-8.4.2.7.bin.extracted/  
$ file *
335EF0:                     POSIX tar archive (GNU)  
335EF0.gz:                  gzip compressed data, from Unix, last modified: Thu Sep 27 23:07:40 2012, max compression  
8B:                         empty  
8B.7z:                      data  
CDBCBB:                     POSIX tar archive (GNU)  
netbsd.BACARDI.bin.1722:    data  
netbsd.BACARDI.bin.1722.gz: gzip compressed data, was "netbsd.BACARDI.bin.1722", from Unix, last modified: Thu Sep 27 23:02:34 2012, max compression  

Copy interesting looking files:

mkdir ../interesting  
cp netbsd.BACARDI.bin.1722 ../interesting/  
cp CDBCBB ../interesting/  
cp 335EF0 ../interesting/  
cd ../interesting  

Kernel / ramdisk contains NetBSD version 1.6.1:

strings netbsd.BACARDI.bin.1722 | grep "NetBSD 1" | sort | uniq  
 NetBSD 1.6.1 (BACARDI) #0: Thu Sep 27 13:59:39 PDT 2012
@(#)NetBSD 1.6.1 (BACARDI) #0: Thu Sep 27 13:59:39 PDT 2012

This seems to be a little bit dusty. NetBSD 1.6.1 was released on 21 Apr 2003. At the time of writing that's almost 12 years ago!

Extract Force10 binaries part 1:

mkdir ../force10-binaries1  
tar -xvf 335EF0 -C ../force10-binaries1  

Extract Force10 binaries part 2:

mkdir ../force10-binaries2  
tar -xvf CDBCBB -C ../force10-binaries2  

Download NetBSD 1.6.1 base binaries and manpages:

cd ..  
mkdir netbsd_1.6.1  
cd netbsd_1.6.1  
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-archive/NetBSD-1.6/prep/binary/sets/base.tgz  
tar -xvzf base.tgz  
wget ftp://ftp.netbsd.org/pub/NetBSD-archive/NetBSD-1.6.1/prep/binary/sets/man.tgz  
tar -xvzf man.tgz  
cd ..  

Examine ifconfig binary:

strings force10-binaries2/f10/sbin/ifconfig | grep -i bsd | sort | uniq  
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $
$NetBSD: ifconfig.c,v 1.123 2002/05/06 20:14:36 thorpej Exp $
.note.netbsd.ident
GCC: (GNU) 2.95.3 20010315 (release) (NetBSD nb3)  
NetBSD  

ifconfig belongs to NetBSD 1.6.1 (same CVS revision):

strings netbsd_1.6.1/sbin/ifconfig | grep -i bsd | sort | uniq | grep ifconfig  
$NetBSD: ifconfig.c,v 1.123 2002/05/06 20:14:36 thorpej Exp $
strings netbsd_1.6.1/sbin/ifconfig | grep -i bsd | sort | uniq | grep crt  
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $

Examine dhcpd binary:

strings interesting/force10-binaries2/f10/usr/sbin/dhcpd | grep -i bsd | sort | uniq | grep -v work  
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $
.note.netbsd.ident
GCC: (GNU) 2.95.3 20010315 (release) (NetBSD nb3)  
NetBSD  

dhcpd belongs to NetBSD 1.6.1 (same CVS revision):

strings netbsd_1.6.1/usr/sbin/dhcpd | grep -i bsd | sort | uniq | grep -v autobuild  
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $
.note.netbsd.ident
GCC: (GNU) 2.95.3 20010315 (release) (NetBSD nb3)  
NetBSD  

Startup script seems to be force10-binaries2/f10/bacardiCpLibStartup.sh:

...
/f10/usr/sbin/sysmon -s /f10/sysd $cp_addr
...

Service starter/watchdog seems to be /f10/usr/sbin/sysmon.
Main program seems to be sysd.

Trace of OpenSSL 0.9.7e:

strings interesting/force10-binaries1/sysd | grep -i openssl | grep RSA | sort | uniq  
RSA part of OpenSSL 0.9.7e 25 Oct 2004  

Trace of ftpd:

strings interesting/force10-binaries1/sysd | grep -i ftp | grep -i dell | sort | uniq  
Dell Force10 (%s) FTP server ready.  

Trace of XNTPD 3-5.93:

strings interesting/force10-binaries1/sysd | grep -i xntpd | sort | uniq  
...
xntpd 3-5.93 Thu Sep 28 14:57:33 PDT 2000 (43)  
...

Perhaps some modified version of OpenSSH?:

strings interesting/force10-binaries1/sysd | grep -i ssh | sort | uniq  
...
SSH_v2.0@force10networks.com  
...

OpenSSH strings in NetBSD 1.6.1:

strings netbsd_1.6.1/usr/sbin/sshd | sort | uniq | grep -i openssh  
OpenSSH*  
OpenSSH-2.0*,OpenSSH-2.1*,OpenSSH_2.1*,OpenSSH_2.2*  
OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*  
OpenSSH_2.3.*  
OpenSSH_2.3.0*  
OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2*  
OpenSSH_2.5.0p1*,OpenSSH_2.5.1p1*  
OpenSSH_2.5.3*  
OpenSSH_3.4 NetBSD_Secure_Shell-20020626  
auth-agent-req@openssh.com  
auth-agent@openssh.com  
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
hmac-ripemd160@openssh.com  
keepalive@openssh.com  

OpenSSH strings in sysd:

strings interesting/force10-binaries1/sysd | grep -i openssh | sort | uniq  
OpenSSH*  
OpenSSH-2.0*,OpenSSH-2.1*,OpenSSH_2.1*,OpenSSH_2.2*  
OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*  
OpenSSH_2.3.*  
OpenSSH_2.3.0*  
OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2*  
OpenSSH_2.5.0p1*,OpenSSH_2.5.1p1*  
OpenSSH_2.5.3*  
openssh_RSA_verify  

Trace of GnuPG 1.2.4:

strings interesting/force10-binaries1/sysd | grep -i gnupg | sort | uniq  
Version: GnuPG v1.2.4 (MingW32)  

Trace of PGPfreeware 5.0i:

strings interesting/force10-binaries1/sysd | grep -i pgpfree | sort | uniq  
Version: PGPfreeware 5.0i for non-commercial use  

Filesystem structure:

/bin
/boot
/bootimagetemp
/cfgtemp
/dev/
/etc/dhcpd
/etc/ssh
/f10
/f10/F10ShmMMap
/f10/bin/f10ftpcoredumpSS
/f10/coredumpvars
/f10/dcli
/f10/etc/pgp/.pgp
/f10/etc/pgp/temp
/f10/flash.lf
/f10/flash/ADMIN_DIR/SYS_A
/f10/flash/ADMIN_DIR/SYS_A/upg_path
/f10/flash/ADMIN_DIR/SYS_B
/f10/flash/ADMIN_DIR/SYS_B/upg_path
/f10/flash/TestReport-SU-
/f10/no-reboot
/f10/ph.db
/f10/pipe/CPLP_COMM
/f10/pipe/cp/CLICP_COMM
/f10/pipe/cp/CPCLI_COMM
/f10/pipe/cp/DHCP_SRV_PIPE
/f10/pipe/cp/DNLD_PIPE
/f10/pipe/cp/IFMGR_TMRP
/f10/pipe/cp/IPC_PIPE
/f10/pipe/cp/IRC_PIPE
/f10/pipe/cp/PPP_RCV
/f10/pipe/cp/PPP_SWP
/f10/pipe/cp/PPP_TIMER
/f10/pipe/cp/RAM_PIPE
/f10/pipe/cp/SNMPD_PIPE
/f10/pipe/cp/STATMGRTSK_PIPE
/f10/pipe/cp/SWMGR_PIPE
/f10/pipe/cp/SYSADMTSK_PIPE
/f10/pipe/cp/TRACKSTARTSK_PIPE
/f10/pipe/cp/TRKHELPERTSK_PIPE
/f10/pipe/cp/aclagentpipe
/f10/pipe/cp/cfgSwpPipe
/f10/pipe/cp/dot1xSwpPipe
/f10/pipe/cp/dot1xTimerPipe
/f10/pipe/cp/fefdPipeTimer
/f10/pipe/cp/fefdPipeTimerMgmt
/f10/pipe/cp/ifmSwpPipe
/f10/pipe/cp/lldpSwpPipe
/f10/pipe/cp/lldpTimerPipe
/f10/pipe/cp/logMsgPipe
/f10/pipe/cp/more
/f10/pipe/cp/portmirrpipe
/f10/pipe/cp/sflCpSwpPipe
/f10/pipe/cp/sflCpTmrPipe
/f10/pipe/cp/tClassMgrPipe
/f10/pipe/cp/udpBcastPipe
/f10/rd/other/ChassisType.txt
/f10/rd/other/LcBootType_%d.txt
/f10/rd/tgtimg
/f10/rd/tgtimg/upg_path
/f10/sysdlp
/f10/tempTrace
/f10/usr/sbin
/f10/usr/sbin/f10appioclnt %s
/f10/usr/sbin/f10appioclnt sysd
/f10/usr/sbin/f10appioserv
/force10/rd
/force10/rd/other
/force10/rd/tgtimg
/force10/rd/tgtimg/boot
/force10/rd/tgtimg/bootSel
/force10/rd/tgtimg/download_boot
/force10/rd/tgtimg/download_bootSel
/force10/rd/tgtimg/download_fpga
/force10/rd/tgtimg/download_fpga/rlsrecord
/force10/rd/tgtimg/download_runtime
/force10/rd/tgtimg/fpga
/force10/rd/tgtimg/fpga/rlsrecord
/force10/rd/tgtimg/rlsrecord
/force10/rd/tgtimg/rlsrecord_backup
/force10/rd/tgtimg/rlsrecord_download
/force10/rd/tgtimg/runtime
/kern/sysimg
/priv16imagetemp
/ramdisk-tmp
/ramdisk
/sbin
/source-interface
/sysimagetemp
/tgtimg
/tgtimg/download_runtime
/tmp/dhcpd.leases
/tmp/stats
/tmp/sysinfo.tmp
/usr/X11R6/bin/xauth
/usr/bin/pgp
/usr/libexec/ld.elf_so
/usr/local/ssl
/usr/local/ssl/cert.pem
/usr/local/ssl/certs
/usr/local/ssl/private
/var/NTP/
/var/run/sshd.pid
Firmware 9.6.0.0 for S4810

Create and enter working directory:

mkdir ftos_debug_9.6.0.0  
cd ftos_debug_9.6.0.0  
  • extract firmware:
~/binwalk/src/scripts/binwalk -e FTOS-SE-9.6.0.0.bin

DECIMAL       HEXADECIMAL     DESCRIPTION  
--------------------------------------------------------------------------------
139           0x8B            LZMA compressed data, properties: 0x87, dictionary size: 33554432 bytes, uncompressed size: 28771 bytes  
304           0x130           gzip compressed data, maximum compression, has original file name: "netbsd-S4810.tmp.bin.19457", from Unix, last modified: 2014-09-28 17:53:48  
10580088      0xA17078        gzip compressed data, maximum compression, from Unix, last modified: 2014-09-28 17:54:33  
30064634      0x1CABFFA       gzip compressed data, maximum compression, from Unix, last modified: 2014-09-28 17:54:42  
31076843      0x1DA31EB       COBALT boot rom data (Flat boot rom or file system)  
40575850      0x26B236A       Zlib compressed data, default compression  
40579923      0x26B3353       Zlib compressed data, default compression  
40584132      0x26B43C4       Zlib compressed data, default compression  
40588552      0x26B5508       Zlib compressed data, default compression  
40592524      0x26B648C       Zlib compressed data, default compression  
40596042      0x26B724A       Zlib compressed data, default compression  
40599419      0x26B7F7B       Zlib compressed data, default compression  
40639874      0x26C1D82       Zlib compressed data, default compression  
40643700      0x26C2C74       Zlib compressed data, default compression  
40647932      0x26C3CFC       Zlib compressed data, default compression  
40652445      0x26C4E9D       Zlib compressed data, default compression  
40656163      0x26C5D23       Zlib compressed data, default compression  
40659861      0x26C6B95       Zlib compressed data, default compression  
40663539      0x26C79F3       Zlib compressed data, default compression  
40667354      0x26C88DA       Zlib compressed data, default compression  
40707960      0x26D2778       Zlib compressed data, default compression  
40711516      0x26D355C       Zlib compressed data, default compression  
40715439      0x26D44AF       Zlib compressed data, default compression  
40718767      0x26D51AF       Zlib compressed data, default compression  
40721762      0x26D5D62       Zlib compressed data, default compression  
40725431      0x26D6BB7       Zlib compressed data, default compression  
40728500      0x26D77B4       Zlib compressed data, default compression  
40731780      0x26D8484       Zlib compressed data, default compression  
40738583      0x26D9F17       Zlib compressed data, default compression  
40742502      0x26DAE66       Zlib compressed data, default compression  
40745992      0x26DBC08       Zlib compressed data, default compression  
40749266      0x26DC8D2       Zlib compressed data, default compression  
40752600      0x26DD5D8       Zlib compressed data, default compression  
40755766      0x26DE236       Zlib compressed data, default compression  
40759482      0x26DF0BA       Zlib compressed data, default compression  
40762846      0x26DFDDE       Zlib compressed data, default compression  
40766148      0x26E0AC4       Zlib compressed data, default compression  
41057570      0x2727D22       Zlib compressed data, default compression  
41061768      0x2728D88       Zlib compressed data, default compression  
41066053      0x2729E45       Zlib compressed data, default compression  
41070451      0x272AF73       Zlib compressed data, default compression  
41075006      0x272C13E       Zlib compressed data, default compression  
41079625      0x272D349       Zlib compressed data, default compression  
41082672      0x272DF30       Zlib compressed data, default compression  
41091311      0x27300EF       Zlib compressed data, default compression  
41096170      0x27313EA       Zlib compressed data, default compression  
41100724      0x27325B4       Zlib compressed data, default compression  
41105191      0x2733727       Zlib compressed data, default compression  
41109560      0x2734838       Zlib compressed data, default compression  
41115373      0x2735EED       Zlib compressed data, default compression  
41667479      0x27BCB97       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
41673237      0x27BE215       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
41679669      0x27BFB35       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
41990679      0x280BA17       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42005473      0x280F3E1       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42005871      0x280F56F       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42011628      0x2810BEC       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42067864      0x281E798       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42131664      0x282E0D0       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42146581      0x2831B15       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42156835      0x2834323       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42166229      0x28367D5       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42187030      0x283B916       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42190596      0x283C704       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42443073      0x287A141       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42457528      0x287D9B8       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42463059      0x287EF53       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42486986      0x2884CCA       LZMA compressed data, properties: 0x6D, dictionary size: 65536 bytes, uncompressed size: 559903 bytes  
42486991      0x2884CCF       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42663772      0x28AFF5C       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42665466      0x28B05FA       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42674827      0x28B2A8B       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42679474      0x28B3CB2       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42801137      0x28D17F1       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
42840425      0x28DB169       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43071307      0x291374B       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43374413      0x295D74D       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43460199      0x2972667       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43913505      0x29E1121       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43914251      0x29E140B       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43914514      0x29E1512       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43943690      0x29E870A       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43946986      0x29E93EA       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43961827      0x29ECDE3       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
43969007      0x29EE9EF       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44038270      0x29FF87E       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44044182      0x2A00F96       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44047098      0x2A01AFA       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44055631      0x2A03C4F       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44071545      0x2A07A79       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44072896      0x2A07FC0       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44074729      0x2A086E9       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44127329      0x2A15461       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44135199      0x2A1731F       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44145456      0x2A19B30       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44511651      0x2A731A3       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44565648      0x2A80490       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44576248      0x2A82DF8       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44577600      0x2A83340       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44746006      0x2AAC516       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44758325      0x2AAF535       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44785452      0x2AB5F2C       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44786270      0x2AB625E       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44792417      0x2AB7A61       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44801537      0x2AB9E01       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44862461      0x2AC8BFD       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44876014      0x2ACC0EE       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
44877289      0x2ACC5E9       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
45034741      0x2AF2CF5       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
45091962      0x2B00C7A       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
45141096      0x2B0CC68       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
45142899      0x2B0D373       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
45153217      0x2B0FBC1       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
45173348      0x2B14A64       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  
45198472      0x2B1AC88       gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)  

There seems to be a lot more different content than in the 8.x firmware. This could also be caused by binwalk not being able to handle this firmware file properly.

Search for interesting stuff:

cd _FTOS-SE-9.6.0.0.bin.extracted/  
file * | grep -v empty | grep -v Erlang | grep -v gzip  
...
A17078:                        POSIX tar archive (GNU)  
netbsd-S4810.tmp.bin.19457:    data  

Copy interesting looking files:

mkdir ../interesting  
cp A17078 ../interesting/  
cp netbsd-S4810.tmp.bin.19457 ../interesting/  
cd ../interesting  

Kernel / ramdisk contains NetBSD version 5.1:

strings netbsd-S4810.tmp.bin.19457 | grep "NetBSD 5" | sort | uniq  
 NetBSD 5.1_STABLE (MPC4810) #0: Sun Sep 28 10:51:25 PDT 2014
Loop address in NetBSD 5.1 is part of stack trace  
_CFG_options \011COMPAT_50\011# NetBSD 5.0 compatibility.  

Extract Force10 binaries:

mkdir ../force10-binaries  
tar -xzvf A17078 -C ../force10-binaries/  
cd ..  

Trace of OpenSSL:

strings force10-binaries/sysd | grep -i openssl | sort | uniq  
OPENSSL_add_all_algorithms_noconf  

Where did all the strings of OpenSSL go? Did they use another SSL implementation or just got rid of the strings to make reverse engineering harder?

Trace of ftpd:

strings force10-binaries/sysd | grep -i ftp | grep -i dell | sort | uniq  
Dell (%s) FTP server ready.  

Trace of XNTPD 3-5.93:

strings force10-binaries/sysd | grep -i xntpd | sort | uniq  
...
xntpd 3-5.93 Thu Sep 28 14:57:33 PDT 2000 (43)  
...

Trace of GnuPG 1.2.4:

strings force10-binaries/sysd | grep -i gnupg | sort | uniq  
 Version: GnuPG v1.2.4 (MingW32)
/usr/bin/gnupg

cURL 7.21.4:

strings force10-binaries/curl | grep "curl 7" | sort | uniq  
curl 7.21.4 (powerpc-pc-netbsd-gnu) %s  

OpenSSH 6.0p1:

strings force10-binaries/sshd | grep -i openssh_ |sort | uniq  
OpenSSH_6.0  
OpenSSH_6.0p1  

Filesystem structure:

/backup/interface
/bin/sh
/biosimagetemp
/boot/%s
/bootimagetemp
/bootselimagetemp
/dev/
/dev/%s
/dev/NULL
/dev/bootflash0
/dev/btsensor0
/dev/btsensor1
/dev/btsensor2
/dev/btsensor3
/dev/btsensor4
/dev/console
/dev/cpld0
/dev/crshntfy0
/dev/dimmeeprom
/dev/f10loggerdev
/dev/ipl
/dev/klog
/dev/max6651x0
/dev/max6651x1
/dev/max6651x2
/dev/max6651x3
/dev/max6651x4
/dev/nvram0
/dev/ps0eeprom
/dev/ps1eeprom
/dev/ps2eeprom
/dev/psu1fan
/dev/psu2fan
/dev/r%s
/dev/rld0a
/dev/rld0b
/dev/rtc
/dev/sfpx0
/dev/sfpx1
/dev/sfpx2
/dev/syseeprom0
/dev/syseeprom1
/dev/tty
/dev/tty01
/dev/usb0
/dev/usb1
/etc/dhcpd
/etc/dhcpd/dhcpd.conf
/etc/hosts
/etc/inetd.conf
/etc/resolv.conf
/etc/services
/etc/startup_info
/f10
/f10/%s
/f10/%s%s
/f10/%s/
/f10/%s/%s
/f10/ConfD/confdCaptureLogs
/f10/ConfD/db
/f10/ConfD/db/cmo_ftos_bgp_nbr_stats
/f10/ConfD/db/cmo_ftos_bgp_stats
/f10/ConfD/db/ftos_bgp_nbr_stats_diff
/f10/ConfD/db/ftos_bgp_nbr_stats_tmp
/f10/ConfD/db/ftos_bgp_stats_diff
/f10/ConfD/db/ftos_bgp_stats_tmp
/f10/ConfD/etc/confd/confd_httpd_host.cert
/f10/bin/f10Reload
/f10/bin/f10ftpcoredumpSS
/f10/bin/s60ConsoleFifoTool
/f10/cfg_compress.tcl
/f10/coredumpvars
/f10/curl
/f10/dcli
/f10/diff.tcl
/f10/f10inetd_external.conf
/f10/f10login
/f10/f10tcpdump
/f10/f10tcpdump_remolddir
/f10/feature/feature.cfg
/f10/flash/%s
/f10/flash/ADMIN_DIR/SYS_A
/f10/flash/ADMIN_DIR/SYS_A/upg_path
/f10/flash/ADMIN_DIR/SYS_B
/f10/flash/ADMIN_DIR/SYS_B/upg_path
/f10/flash/ADMIN_DIR/certs/confd_httpd_host.cert
/f10/flash/ADMIN_DIR/certs/confd_httpd_host.key
/f10/flash/ADMIN_DIR/dhclient.leases
/f10/flash/CORE_DUMP_DIR
/f10/flash/CORE_DUMP_DIR/FTP_STK_MEMBER
/f10/flash/TCP_DUMP_DIR
/f10/flash/TCP_DUMP_DIR/tmp
/f10/flash/TCP_DUMP_DIR/tmp/tcpdump
/f10/flash/TCP_DUMP_DIR/tmp/tcpdump%d
/f10/flash/TestReport-%s-%d.txt
/f10/flash/autoexec
/f10/flash/pam%d.log
/f10/mnt
/f10/mnt/nfs
/f10/no-reboot
/f10/ph-sysd.db
/f10/pipe/ACL0
/f10/pipe/CLICP_COMM
/f10/pipe/CPCLI_COMM
/f10/pipe/CPLP_COMM
/f10/pipe/DHCP_SRV_PIPE
/f10/pipe/DNLD_PIPE
/f10/pipe/IFAGT_TMRP
/f10/pipe/IFMGR_TMRP
/f10/pipe/IPC_PIPE
/f10/pipe/IRC_PIPE
/f10/pipe/LPCP_COMM
/f10/pipe/PORTMIRR
/f10/pipe/RAM_PIPE
/f10/pipe/RCC_TIMER
/f10/pipe/SNMPD_PIPE
/f10/pipe/STATMGRTSK_PIPE
/f10/pipe/SWMGR_PIPE
/f10/pipe/SYSADMTSK_PIPE
/f10/pipe/TCPDUMPTSK_PIPE
/f10/pipe/TRACKSTARTSK_PIPE
/f10/pipe/TRKHELPERTSK_PIPE
/f10/pipe/aclagentpipe
/f10/pipe/cfgSwpPipe
/f10/pipe/dhclientPipe
/f10/pipe/dot1xSwpPipe
/f10/pipe/dot1xTimerPipe
/f10/pipe/dpiSwpPipe
/f10/pipe/dpiTmrPipe
/f10/pipe/dpiWrkrPipe
/f10/pipe/fefdPipeTimer
/f10/pipe/fefdPipeTimerMgmt
/f10/pipe/hpmPipe
/f10/pipe/ifaSwpPipe
/f10/pipe/ifmSwpPipe
/f10/pipe/lldpSwpPipe
/f10/pipe/lldpTimerPipe
/f10/pipe/logMsgPipe
/f10/pipe/more
/f10/pipe/portmirrpipe
/f10/pipe/ssCpuMemPipe
/f10/pipe/ssmLogMonPipe
/f10/pipe/tClassMgrPipe
/f10/pipe/udpBcastPipe
/f10/rd/other/ChassisType.txt
/f10/rd/other/LcBootType_%d.txt
/f10/rd/tgtimg
/f10/rd/tgtimg/upg_path
/f10/rd/tmp
/f10/scp
/f10/shmdrv
/f10/soc_%d
/f10/soc_f10do
/f10/ssh
/f10/sysdlp
/f10/tempTrace
/f10/usr/sbin
/f10/usr/sbin/f10appioclnt %s
/f10/usr/sbin/f10appioclnt sysd
/f10/usr/sbin/f10appioserv
/f10/usr/sbin/getscriptpid.sh
/f10BgpM2
/f10BgpM2AdjRibsOutTable
/f10BgpM2AsPathTable
/f10BgpM2CfgPeerAdminStatusTable
/f10BgpM2CfgPeerTable
/f10BgpM2FlapStatisticsTable
/f10BgpM2LinkLocalNextHopTable
/f10BgpM2NlriTable
/f10BgpM2PathAttrClusterTable
/f10BgpM2PathAttrCommTable
/f10BgpM2PathAttrExtCommTable
/f10BgpM2PathAttrOriginatorIdTable
/f10BgpM2PathAttrTable
/f10BgpM2PathAttrUnknownTable
/f10BgpM2PeerCapsAnnouncedTable
/f10BgpM2PeerCapsReceivedTable
/f10BgpM2PeerTable
/f10BgpM2PrefixCountersTable
/f10BgpM2SupportedCapabilitiesTable
/f10BgpM2VersionTable
/force10/rd
/force10/rd/other
/force10/rd/tgtimg
/force10/rd/tgtimg/boot
/force10/rd/tgtimg/bootSel
/force10/rd/tgtimg/download_boot
/force10/rd/tgtimg/download_bootSel
/force10/rd/tgtimg/download_fpga
/force10/rd/tgtimg/download_fpga/rlsrecord
/force10/rd/tgtimg/download_runtime
/force10/rd/tgtimg/fpga
/force10/rd/tgtimg/fpga/rlsrecord
/force10/rd/tgtimg/rlsrecord
/force10/rd/tgtimg/rlsrecord_backup
/force10/rd/tgtimg/rlsrecord_download
/force10/rd/tgtimg/runtime
/fortyGigE/name
/fp-cos-stats
/fp-cpu-party-bus-stats
/fp-drops
/fp-packet-buffer
/fp-port-stats
/fp-stats
/ftos
/ftos/interface
/ftos/interface/
/ftos/interface/%s
/ftos/interface/%s{%d/%d}
/ftos/interface/%s{%s}/description
/ftos/interface/%s{%s}/mtu
/ftos/interface/%s{%s}/rate-interval
/ftos/interface/%s{%s}/shutdown
/ftos/interface/port-channel
/ftos/interface/vlan
/ftos/ip
/ftos/ip/route
/ftos/router
/ftos/router/bgp
/ftos/stats
/ftos/stats/ip
/ftos/stats/ip/bgp
/ftos/stats/ip/bgp/neighbors/neighbor
/ftos/stats/ip/bgp/neighbors/neighbor{%s}
/ftos/stats/ip/bgp/neighbors/neighbor{%s}/advertisedRoutes/prefixList
/ftos/stats/ip/bgp/neighbors/neighbor{%s}/receivedRoutes/prefixList
/ftos/stats/ip/bgp/routes/prefixList
/ftos/stats/ip/bgp/routes/prefixList{%s}
/ftos/stats/ip/bgp/{%s}
/interface
/interfaces
/kern/sysimg
/mac/access-group
/mac/learning-limit
/port-channel/name
/priv16imagetemp
/ramdisk-tmp:
/ramdisk-tmp:/bootimagetemp
/ramdisk-tmp:/priv16imagetemp
/ramdisk-tmp:/sysimagetemp
/ramdisk-tmp:/sysimagetempA
/ramdisk-tmp:/sysimagetempB
/ramdisk:
/ramdisk:/autoexec.temp
/ramdisk:/bliimagetemp
/ramdisk:/bootimagetemp
/ramdisk:/bootselimagetemp
/ramdisk:/priv16imagetemp
/ramdisk:/startup-config.dnld.temp
/ramdisk:/sysimagetemp
/s4810FanRegDump
/sysimagetemp
/sysimagetempA
/sysimagetempB
/tengigabitethernet/name
/tgtimg/download_runtime
/tmp
/tmp/_scp_empty_.dat
/tmp/compressed-config
/tmp/cryptShow
/tmp/dhclienttmp.leases
/tmp/dhcpd.leases
/tmp/errlog
/tmp/inetd.conf
/tmp/netstat_out
/tmp/running-config
/tmp/sysinfo.tmp
/tmp/tcpdumptime
/tmp/telnetd.vrf
/tmpimg/FTOS-S60_BM
/usr/bin/gnupg
/usr/bin/login
/usr/bin/su
/usr/libexec/ld.elf_so
/usr/pkg
/usr/pkg/%s
/usr/pkg/bin/su
/usr/pkg/home/%s
/usr/pkg/installed-packages
/usr/pkg/oa_pkg_agent_debug
/usr/pkg/sbin
/usr/pkg/scripts/VSNAgent/VMWare/VSNAgent.pl
/usr/pkg/scripts/VSNAgent/Xen/hpAgtMain.py
/usr/pkg/ss-scripts
/usr/pkg/tmpOpInstall
/usr/pkg/tmpOpUninstall
/usr/sbin/tcpdump
/var/NTP/
/vrf
/vrf/%s
/vrf/%s%s
/vrf/%s/%s
/vrf/%s/et
Possible security issues
  • NTP & DNS: The configuration documentation states that Force10 switches only work in client mode. But the client might be still vulnerable to malicious servers.
Side notes