I'm working with Dell Force10 switches and noticed that for S25N / S50N models there hasn't been a new firmware released since 2012. The current firmware has version 8.4.2.7.
For S4810 models the current firmware is version 9.6.0.0 from 2014. What has changed since the 8.x releases. Let's compare them.
So from a security perspective, it's interesting to know what's inside a Force10 firmware, as their switches can also handle several routing protocols, DHCP, FTP, SSH and so on. Are these services vulnerable to known security bugs?
As stated at http://en.wikipedia.org/wiki/FTOS the Force10 OS 'FTOS' (aka DNOS - Dell Networking Operating System) is based on NetBSD. Does Dell include the latest security updates for the OS and its services?
I try to find out details by executables, scripts and strings which can be found inside the firmware. Currently I have only access to production systems and no spare hardware for testing.
This is work in progress.
Preparation
Install Binwalk v2.1.0:
cd ~
git clone https://github.com/devttys0/binwalk.git
python setup.py build
cd ..
Get firmware
You can download the S series 8.x and 9.x firmwares at https://www.force10networks.com/CSPortal20/. A support account is required (which you might already got when you bought your Force10 switches).
Firmware 8.4.2.7 for S25N / S50N
Create and enter working directory:
mkdir ftos_debug_8.4.2.7
cd ftos_debug_8.4.2.7
Extract firmware:
~/binwalk/src/scripts/binwalk -e FTOS-SB-8.4.2.7.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
139 0x8B LZMA compressed data, properties: 0x51, dictionary size: 33554432 bytes, uncompressed size: 28771 bytes
304 0x130 gzip compressed data, maximum compression, has original file name: "netbsd.BACARDI.bin.1722", from Unix, last modified: 2012-09-27 21:02:34
3366640 0x335EF0 gzip compressed data, maximum compression, from Unix, last modified: 2012-09-27 21:07:40
13483195 0xCDBCBB gzip compressed data, maximum compression, from Unix, last modified: 2012-09-27 21:07:45
Search for interesting stuff:
cd _FTOS-SB-8.4.2.7.bin.extracted/
$ file *
335EF0: POSIX tar archive (GNU)
335EF0.gz: gzip compressed data, from Unix, last modified: Thu Sep 27 23:07:40 2012, max compression
8B: empty
8B.7z: data
CDBCBB: POSIX tar archive (GNU)
netbsd.BACARDI.bin.1722: data
netbsd.BACARDI.bin.1722.gz: gzip compressed data, was "netbsd.BACARDI.bin.1722", from Unix, last modified: Thu Sep 27 23:02:34 2012, max compression
Copy interesting looking files:
mkdir ../interesting
cp netbsd.BACARDI.bin.1722 ../interesting/
cp CDBCBB ../interesting/
cp 335EF0 ../interesting/
cd ../interesting
Kernel / ramdisk contains NetBSD version 1.6.1:
strings netbsd.BACARDI.bin.1722 | grep "NetBSD 1" | sort | uniq
NetBSD 1.6.1 (BACARDI) #0: Thu Sep 27 13:59:39 PDT 2012
@(#)NetBSD 1.6.1 (BACARDI) #0: Thu Sep 27 13:59:39 PDT 2012
This seems to be a little bit dusty. NetBSD 1.6.1 was released on 21 Apr 2003. At the time of writing that's almost 12 years ago!
Extract Force10 binaries part 1:
mkdir ../force10-binaries1
tar -xvf 335EF0 -C ../force10-binaries1
Extract Force10 binaries part 2:
mkdir ../force10-binaries2
tar -xvf CDBCBB -C ../force10-binaries2
Download NetBSD 1.6.1 base binaries and manpages:
cd ..
mkdir netbsd_1.6.1
cd netbsd_1.6.1
wget ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-archive/NetBSD-1.6/prep/binary/sets/base.tgz
tar -xvzf base.tgz
wget ftp://ftp.netbsd.org/pub/NetBSD-archive/NetBSD-1.6.1/prep/binary/sets/man.tgz
tar -xvzf man.tgz
cd ..
Examine ifconfig binary:
strings force10-binaries2/f10/sbin/ifconfig | grep -i bsd | sort | uniq
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $
$NetBSD: ifconfig.c,v 1.123 2002/05/06 20:14:36 thorpej Exp $
.note.netbsd.ident
GCC: (GNU) 2.95.3 20010315 (release) (NetBSD nb3)
NetBSD
ifconfig belongs to NetBSD 1.6.1 (same CVS revision):
strings netbsd_1.6.1/sbin/ifconfig | grep -i bsd | sort | uniq | grep ifconfig
$NetBSD: ifconfig.c,v 1.123 2002/05/06 20:14:36 thorpej Exp $
strings netbsd_1.6.1/sbin/ifconfig | grep -i bsd | sort | uniq | grep crt
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $
Examine dhcpd binary:
strings interesting/force10-binaries2/f10/usr/sbin/dhcpd | grep -i bsd | sort | uniq | grep -v work
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $
.note.netbsd.ident
GCC: (GNU) 2.95.3 20010315 (release) (NetBSD nb3)
NetBSD
dhcpd belongs to NetBSD 1.6.1 (same CVS revision):
strings netbsd_1.6.1/usr/sbin/dhcpd | grep -i bsd | sort | uniq | grep -v autobuild
$NetBSD: crt0.c,v 1.22 2002/05/09 20:32:59 matt Exp $
.note.netbsd.ident
GCC: (GNU) 2.95.3 20010315 (release) (NetBSD nb3)
NetBSD
Startup script seems to be force10-binaries2/f10/bacardiCpLibStartup.sh:
...
/f10/usr/sbin/sysmon -s /f10/sysd $cp_addr
...
Service starter/watchdog seems to be /f10/usr/sbin/sysmon.
Main program seems to be sysd.
Trace of OpenSSL 0.9.7e:
strings interesting/force10-binaries1/sysd | grep -i openssl | grep RSA | sort | uniq
RSA part of OpenSSL 0.9.7e 25 Oct 2004
Trace of ftpd:
strings interesting/force10-binaries1/sysd | grep -i ftp | grep -i dell | sort | uniq
Dell Force10 (%s) FTP server ready.
Trace of XNTPD 3-5.93:
strings interesting/force10-binaries1/sysd | grep -i xntpd | sort | uniq
...
xntpd 3-5.93 Thu Sep 28 14:57:33 PDT 2000 (43)
...
Perhaps some modified version of OpenSSH?:
strings interesting/force10-binaries1/sysd | grep -i ssh | sort | uniq
...
SSH_v2.0@force10networks.com
...
OpenSSH strings in NetBSD 1.6.1:
strings netbsd_1.6.1/usr/sbin/sshd | sort | uniq | grep -i openssh
OpenSSH*
OpenSSH-2.0*,OpenSSH-2.1*,OpenSSH_2.1*,OpenSSH_2.2*
OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
OpenSSH_2.3.*
OpenSSH_2.3.0*
OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2*
OpenSSH_2.5.0p1*,OpenSSH_2.5.1p1*
OpenSSH_2.5.3*
OpenSSH_3.4 NetBSD_Secure_Shell-20020626
auth-agent-req@openssh.com
auth-agent@openssh.com
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
hmac-ripemd160@openssh.com
keepalive@openssh.com
OpenSSH strings in sysd:
strings interesting/force10-binaries1/sysd | grep -i openssh | sort | uniq
OpenSSH*
OpenSSH-2.0*,OpenSSH-2.1*,OpenSSH_2.1*,OpenSSH_2.2*
OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
OpenSSH_2.3.*
OpenSSH_2.3.0*
OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2*
OpenSSH_2.5.0p1*,OpenSSH_2.5.1p1*
OpenSSH_2.5.3*
openssh_RSA_verify
Trace of GnuPG 1.2.4:
strings interesting/force10-binaries1/sysd | grep -i gnupg | sort | uniq
Version: GnuPG v1.2.4 (MingW32)
Trace of PGPfreeware 5.0i:
strings interesting/force10-binaries1/sysd | grep -i pgpfree | sort | uniq
Version: PGPfreeware 5.0i for non-commercial use
Filesystem structure:
/bin
/boot
/bootimagetemp
/cfgtemp
/dev/
/etc/dhcpd
/etc/ssh
/f10
/f10/F10ShmMMap
/f10/bin/f10ftpcoredumpSS
/f10/coredumpvars
/f10/dcli
/f10/etc/pgp/.pgp
/f10/etc/pgp/temp
/f10/flash.lf
/f10/flash/ADMIN_DIR/SYS_A
/f10/flash/ADMIN_DIR/SYS_A/upg_path
/f10/flash/ADMIN_DIR/SYS_B
/f10/flash/ADMIN_DIR/SYS_B/upg_path
/f10/flash/TestReport-SU-
/f10/no-reboot
/f10/ph.db
/f10/pipe/CPLP_COMM
/f10/pipe/cp/CLICP_COMM
/f10/pipe/cp/CPCLI_COMM
/f10/pipe/cp/DHCP_SRV_PIPE
/f10/pipe/cp/DNLD_PIPE
/f10/pipe/cp/IFMGR_TMRP
/f10/pipe/cp/IPC_PIPE
/f10/pipe/cp/IRC_PIPE
/f10/pipe/cp/PPP_RCV
/f10/pipe/cp/PPP_SWP
/f10/pipe/cp/PPP_TIMER
/f10/pipe/cp/RAM_PIPE
/f10/pipe/cp/SNMPD_PIPE
/f10/pipe/cp/STATMGRTSK_PIPE
/f10/pipe/cp/SWMGR_PIPE
/f10/pipe/cp/SYSADMTSK_PIPE
/f10/pipe/cp/TRACKSTARTSK_PIPE
/f10/pipe/cp/TRKHELPERTSK_PIPE
/f10/pipe/cp/aclagentpipe
/f10/pipe/cp/cfgSwpPipe
/f10/pipe/cp/dot1xSwpPipe
/f10/pipe/cp/dot1xTimerPipe
/f10/pipe/cp/fefdPipeTimer
/f10/pipe/cp/fefdPipeTimerMgmt
/f10/pipe/cp/ifmSwpPipe
/f10/pipe/cp/lldpSwpPipe
/f10/pipe/cp/lldpTimerPipe
/f10/pipe/cp/logMsgPipe
/f10/pipe/cp/more
/f10/pipe/cp/portmirrpipe
/f10/pipe/cp/sflCpSwpPipe
/f10/pipe/cp/sflCpTmrPipe
/f10/pipe/cp/tClassMgrPipe
/f10/pipe/cp/udpBcastPipe
/f10/rd/other/ChassisType.txt
/f10/rd/other/LcBootType_%d.txt
/f10/rd/tgtimg
/f10/rd/tgtimg/upg_path
/f10/sysdlp
/f10/tempTrace
/f10/usr/sbin
/f10/usr/sbin/f10appioclnt %s
/f10/usr/sbin/f10appioclnt sysd
/f10/usr/sbin/f10appioserv
/force10/rd
/force10/rd/other
/force10/rd/tgtimg
/force10/rd/tgtimg/boot
/force10/rd/tgtimg/bootSel
/force10/rd/tgtimg/download_boot
/force10/rd/tgtimg/download_bootSel
/force10/rd/tgtimg/download_fpga
/force10/rd/tgtimg/download_fpga/rlsrecord
/force10/rd/tgtimg/download_runtime
/force10/rd/tgtimg/fpga
/force10/rd/tgtimg/fpga/rlsrecord
/force10/rd/tgtimg/rlsrecord
/force10/rd/tgtimg/rlsrecord_backup
/force10/rd/tgtimg/rlsrecord_download
/force10/rd/tgtimg/runtime
/kern/sysimg
/priv16imagetemp
/ramdisk-tmp
/ramdisk
/sbin
/source-interface
/sysimagetemp
/tgtimg
/tgtimg/download_runtime
/tmp/dhcpd.leases
/tmp/stats
/tmp/sysinfo.tmp
/usr/X11R6/bin/xauth
/usr/bin/pgp
/usr/libexec/ld.elf_so
/usr/local/ssl
/usr/local/ssl/cert.pem
/usr/local/ssl/certs
/usr/local/ssl/private
/var/NTP/
/var/run/sshd.pid
Firmware 9.6.0.0 for S4810
Create and enter working directory:
mkdir ftos_debug_9.6.0.0
cd ftos_debug_9.6.0.0
- extract firmware:
~/binwalk/src/scripts/binwalk -e FTOS-SE-9.6.0.0.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
139 0x8B LZMA compressed data, properties: 0x87, dictionary size: 33554432 bytes, uncompressed size: 28771 bytes
304 0x130 gzip compressed data, maximum compression, has original file name: "netbsd-S4810.tmp.bin.19457", from Unix, last modified: 2014-09-28 17:53:48
10580088 0xA17078 gzip compressed data, maximum compression, from Unix, last modified: 2014-09-28 17:54:33
30064634 0x1CABFFA gzip compressed data, maximum compression, from Unix, last modified: 2014-09-28 17:54:42
31076843 0x1DA31EB COBALT boot rom data (Flat boot rom or file system)
40575850 0x26B236A Zlib compressed data, default compression
40579923 0x26B3353 Zlib compressed data, default compression
40584132 0x26B43C4 Zlib compressed data, default compression
40588552 0x26B5508 Zlib compressed data, default compression
40592524 0x26B648C Zlib compressed data, default compression
40596042 0x26B724A Zlib compressed data, default compression
40599419 0x26B7F7B Zlib compressed data, default compression
40639874 0x26C1D82 Zlib compressed data, default compression
40643700 0x26C2C74 Zlib compressed data, default compression
40647932 0x26C3CFC Zlib compressed data, default compression
40652445 0x26C4E9D Zlib compressed data, default compression
40656163 0x26C5D23 Zlib compressed data, default compression
40659861 0x26C6B95 Zlib compressed data, default compression
40663539 0x26C79F3 Zlib compressed data, default compression
40667354 0x26C88DA Zlib compressed data, default compression
40707960 0x26D2778 Zlib compressed data, default compression
40711516 0x26D355C Zlib compressed data, default compression
40715439 0x26D44AF Zlib compressed data, default compression
40718767 0x26D51AF Zlib compressed data, default compression
40721762 0x26D5D62 Zlib compressed data, default compression
40725431 0x26D6BB7 Zlib compressed data, default compression
40728500 0x26D77B4 Zlib compressed data, default compression
40731780 0x26D8484 Zlib compressed data, default compression
40738583 0x26D9F17 Zlib compressed data, default compression
40742502 0x26DAE66 Zlib compressed data, default compression
40745992 0x26DBC08 Zlib compressed data, default compression
40749266 0x26DC8D2 Zlib compressed data, default compression
40752600 0x26DD5D8 Zlib compressed data, default compression
40755766 0x26DE236 Zlib compressed data, default compression
40759482 0x26DF0BA Zlib compressed data, default compression
40762846 0x26DFDDE Zlib compressed data, default compression
40766148 0x26E0AC4 Zlib compressed data, default compression
41057570 0x2727D22 Zlib compressed data, default compression
41061768 0x2728D88 Zlib compressed data, default compression
41066053 0x2729E45 Zlib compressed data, default compression
41070451 0x272AF73 Zlib compressed data, default compression
41075006 0x272C13E Zlib compressed data, default compression
41079625 0x272D349 Zlib compressed data, default compression
41082672 0x272DF30 Zlib compressed data, default compression
41091311 0x27300EF Zlib compressed data, default compression
41096170 0x27313EA Zlib compressed data, default compression
41100724 0x27325B4 Zlib compressed data, default compression
41105191 0x2733727 Zlib compressed data, default compression
41109560 0x2734838 Zlib compressed data, default compression
41115373 0x2735EED Zlib compressed data, default compression
41667479 0x27BCB97 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
41673237 0x27BE215 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
41679669 0x27BFB35 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
41990679 0x280BA17 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42005473 0x280F3E1 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42005871 0x280F56F gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42011628 0x2810BEC gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42067864 0x281E798 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42131664 0x282E0D0 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42146581 0x2831B15 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42156835 0x2834323 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42166229 0x28367D5 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42187030 0x283B916 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42190596 0x283C704 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42443073 0x287A141 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42457528 0x287D9B8 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42463059 0x287EF53 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42486986 0x2884CCA LZMA compressed data, properties: 0x6D, dictionary size: 65536 bytes, uncompressed size: 559903 bytes
42486991 0x2884CCF gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42663772 0x28AFF5C gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42665466 0x28B05FA gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42674827 0x28B2A8B gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42679474 0x28B3CB2 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42801137 0x28D17F1 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
42840425 0x28DB169 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43071307 0x291374B gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43374413 0x295D74D gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43460199 0x2972667 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43913505 0x29E1121 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43914251 0x29E140B gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43914514 0x29E1512 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43943690 0x29E870A gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43946986 0x29E93EA gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43961827 0x29ECDE3 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
43969007 0x29EE9EF gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44038270 0x29FF87E gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44044182 0x2A00F96 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44047098 0x2A01AFA gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44055631 0x2A03C4F gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44071545 0x2A07A79 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44072896 0x2A07FC0 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44074729 0x2A086E9 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44127329 0x2A15461 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44135199 0x2A1731F gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44145456 0x2A19B30 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44511651 0x2A731A3 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44565648 0x2A80490 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44576248 0x2A82DF8 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44577600 0x2A83340 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44746006 0x2AAC516 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44758325 0x2AAF535 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44785452 0x2AB5F2C gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44786270 0x2AB625E gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44792417 0x2AB7A61 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44801537 0x2AB9E01 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44862461 0x2AC8BFD gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44876014 0x2ACC0EE gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
44877289 0x2ACC5E9 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
45034741 0x2AF2CF5 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
45091962 0x2B00C7A gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
45141096 0x2B0CC68 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
45142899 0x2B0D373 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
45153217 0x2B0FBC1 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
45173348 0x2B14A64 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
45198472 0x2B1AC88 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
There seems to be a lot more different content than in the 8.x firmware. This could also be caused by binwalk not being able to handle this firmware file properly.
Search for interesting stuff:
cd _FTOS-SE-9.6.0.0.bin.extracted/
file * | grep -v empty | grep -v Erlang | grep -v gzip
...
A17078: POSIX tar archive (GNU)
netbsd-S4810.tmp.bin.19457: data
Copy interesting looking files:
mkdir ../interesting
cp A17078 ../interesting/
cp netbsd-S4810.tmp.bin.19457 ../interesting/
cd ../interesting
Kernel / ramdisk contains NetBSD version 5.1:
strings netbsd-S4810.tmp.bin.19457 | grep "NetBSD 5" | sort | uniq
NetBSD 5.1_STABLE (MPC4810) #0: Sun Sep 28 10:51:25 PDT 2014
Loop address in NetBSD 5.1 is part of stack trace
_CFG_options \011COMPAT_50\011# NetBSD 5.0 compatibility.
Extract Force10 binaries:
mkdir ../force10-binaries
tar -xzvf A17078 -C ../force10-binaries/
cd ..
Trace of OpenSSL:
strings force10-binaries/sysd | grep -i openssl | sort | uniq
OPENSSL_add_all_algorithms_noconf
Where did all the strings of OpenSSL go? Did they use another SSL implementation or just got rid of the strings to make reverse engineering harder?
Trace of ftpd:
strings force10-binaries/sysd | grep -i ftp | grep -i dell | sort | uniq
Dell (%s) FTP server ready.
Trace of XNTPD 3-5.93:
strings force10-binaries/sysd | grep -i xntpd | sort | uniq
...
xntpd 3-5.93 Thu Sep 28 14:57:33 PDT 2000 (43)
...
Trace of GnuPG 1.2.4:
strings force10-binaries/sysd | grep -i gnupg | sort | uniq
Version: GnuPG v1.2.4 (MingW32)
/usr/bin/gnupg
cURL 7.21.4:
strings force10-binaries/curl | grep "curl 7" | sort | uniq
curl 7.21.4 (powerpc-pc-netbsd-gnu) %s
OpenSSH 6.0p1:
strings force10-binaries/sshd | grep -i openssh_ |sort | uniq
OpenSSH_6.0
OpenSSH_6.0p1
Filesystem structure:
/backup/interface
/bin/sh
/biosimagetemp
/boot/%s
/bootimagetemp
/bootselimagetemp
/dev/
/dev/%s
/dev/NULL
/dev/bootflash0
/dev/btsensor0
/dev/btsensor1
/dev/btsensor2
/dev/btsensor3
/dev/btsensor4
/dev/console
/dev/cpld0
/dev/crshntfy0
/dev/dimmeeprom
/dev/f10loggerdev
/dev/ipl
/dev/klog
/dev/max6651x0
/dev/max6651x1
/dev/max6651x2
/dev/max6651x3
/dev/max6651x4
/dev/nvram0
/dev/ps0eeprom
/dev/ps1eeprom
/dev/ps2eeprom
/dev/psu1fan
/dev/psu2fan
/dev/r%s
/dev/rld0a
/dev/rld0b
/dev/rtc
/dev/sfpx0
/dev/sfpx1
/dev/sfpx2
/dev/syseeprom0
/dev/syseeprom1
/dev/tty
/dev/tty01
/dev/usb0
/dev/usb1
/etc/dhcpd
/etc/dhcpd/dhcpd.conf
/etc/hosts
/etc/inetd.conf
/etc/resolv.conf
/etc/services
/etc/startup_info
/f10
/f10/%s
/f10/%s%s
/f10/%s/
/f10/%s/%s
/f10/ConfD/confdCaptureLogs
/f10/ConfD/db
/f10/ConfD/db/cmo_ftos_bgp_nbr_stats
/f10/ConfD/db/cmo_ftos_bgp_stats
/f10/ConfD/db/ftos_bgp_nbr_stats_diff
/f10/ConfD/db/ftos_bgp_nbr_stats_tmp
/f10/ConfD/db/ftos_bgp_stats_diff
/f10/ConfD/db/ftos_bgp_stats_tmp
/f10/ConfD/etc/confd/confd_httpd_host.cert
/f10/bin/f10Reload
/f10/bin/f10ftpcoredumpSS
/f10/bin/s60ConsoleFifoTool
/f10/cfg_compress.tcl
/f10/coredumpvars
/f10/curl
/f10/dcli
/f10/diff.tcl
/f10/f10inetd_external.conf
/f10/f10login
/f10/f10tcpdump
/f10/f10tcpdump_remolddir
/f10/feature/feature.cfg
/f10/flash/%s
/f10/flash/ADMIN_DIR/SYS_A
/f10/flash/ADMIN_DIR/SYS_A/upg_path
/f10/flash/ADMIN_DIR/SYS_B
/f10/flash/ADMIN_DIR/SYS_B/upg_path
/f10/flash/ADMIN_DIR/certs/confd_httpd_host.cert
/f10/flash/ADMIN_DIR/certs/confd_httpd_host.key
/f10/flash/ADMIN_DIR/dhclient.leases
/f10/flash/CORE_DUMP_DIR
/f10/flash/CORE_DUMP_DIR/FTP_STK_MEMBER
/f10/flash/TCP_DUMP_DIR
/f10/flash/TCP_DUMP_DIR/tmp
/f10/flash/TCP_DUMP_DIR/tmp/tcpdump
/f10/flash/TCP_DUMP_DIR/tmp/tcpdump%d
/f10/flash/TestReport-%s-%d.txt
/f10/flash/autoexec
/f10/flash/pam%d.log
/f10/mnt
/f10/mnt/nfs
/f10/no-reboot
/f10/ph-sysd.db
/f10/pipe/ACL0
/f10/pipe/CLICP_COMM
/f10/pipe/CPCLI_COMM
/f10/pipe/CPLP_COMM
/f10/pipe/DHCP_SRV_PIPE
/f10/pipe/DNLD_PIPE
/f10/pipe/IFAGT_TMRP
/f10/pipe/IFMGR_TMRP
/f10/pipe/IPC_PIPE
/f10/pipe/IRC_PIPE
/f10/pipe/LPCP_COMM
/f10/pipe/PORTMIRR
/f10/pipe/RAM_PIPE
/f10/pipe/RCC_TIMER
/f10/pipe/SNMPD_PIPE
/f10/pipe/STATMGRTSK_PIPE
/f10/pipe/SWMGR_PIPE
/f10/pipe/SYSADMTSK_PIPE
/f10/pipe/TCPDUMPTSK_PIPE
/f10/pipe/TRACKSTARTSK_PIPE
/f10/pipe/TRKHELPERTSK_PIPE
/f10/pipe/aclagentpipe
/f10/pipe/cfgSwpPipe
/f10/pipe/dhclientPipe
/f10/pipe/dot1xSwpPipe
/f10/pipe/dot1xTimerPipe
/f10/pipe/dpiSwpPipe
/f10/pipe/dpiTmrPipe
/f10/pipe/dpiWrkrPipe
/f10/pipe/fefdPipeTimer
/f10/pipe/fefdPipeTimerMgmt
/f10/pipe/hpmPipe
/f10/pipe/ifaSwpPipe
/f10/pipe/ifmSwpPipe
/f10/pipe/lldpSwpPipe
/f10/pipe/lldpTimerPipe
/f10/pipe/logMsgPipe
/f10/pipe/more
/f10/pipe/portmirrpipe
/f10/pipe/ssCpuMemPipe
/f10/pipe/ssmLogMonPipe
/f10/pipe/tClassMgrPipe
/f10/pipe/udpBcastPipe
/f10/rd/other/ChassisType.txt
/f10/rd/other/LcBootType_%d.txt
/f10/rd/tgtimg
/f10/rd/tgtimg/upg_path
/f10/rd/tmp
/f10/scp
/f10/shmdrv
/f10/soc_%d
/f10/soc_f10do
/f10/ssh
/f10/sysdlp
/f10/tempTrace
/f10/usr/sbin
/f10/usr/sbin/f10appioclnt %s
/f10/usr/sbin/f10appioclnt sysd
/f10/usr/sbin/f10appioserv
/f10/usr/sbin/getscriptpid.sh
/f10BgpM2
/f10BgpM2AdjRibsOutTable
/f10BgpM2AsPathTable
/f10BgpM2CfgPeerAdminStatusTable
/f10BgpM2CfgPeerTable
/f10BgpM2FlapStatisticsTable
/f10BgpM2LinkLocalNextHopTable
/f10BgpM2NlriTable
/f10BgpM2PathAttrClusterTable
/f10BgpM2PathAttrCommTable
/f10BgpM2PathAttrExtCommTable
/f10BgpM2PathAttrOriginatorIdTable
/f10BgpM2PathAttrTable
/f10BgpM2PathAttrUnknownTable
/f10BgpM2PeerCapsAnnouncedTable
/f10BgpM2PeerCapsReceivedTable
/f10BgpM2PeerTable
/f10BgpM2PrefixCountersTable
/f10BgpM2SupportedCapabilitiesTable
/f10BgpM2VersionTable
/force10/rd
/force10/rd/other
/force10/rd/tgtimg
/force10/rd/tgtimg/boot
/force10/rd/tgtimg/bootSel
/force10/rd/tgtimg/download_boot
/force10/rd/tgtimg/download_bootSel
/force10/rd/tgtimg/download_fpga
/force10/rd/tgtimg/download_fpga/rlsrecord
/force10/rd/tgtimg/download_runtime
/force10/rd/tgtimg/fpga
/force10/rd/tgtimg/fpga/rlsrecord
/force10/rd/tgtimg/rlsrecord
/force10/rd/tgtimg/rlsrecord_backup
/force10/rd/tgtimg/rlsrecord_download
/force10/rd/tgtimg/runtime
/fortyGigE/name
/fp-cos-stats
/fp-cpu-party-bus-stats
/fp-drops
/fp-packet-buffer
/fp-port-stats
/fp-stats
/ftos
/ftos/interface
/ftos/interface/
/ftos/interface/%s
/ftos/interface/%s{%d/%d}
/ftos/interface/%s{%s}/description
/ftos/interface/%s{%s}/mtu
/ftos/interface/%s{%s}/rate-interval
/ftos/interface/%s{%s}/shutdown
/ftos/interface/port-channel
/ftos/interface/vlan
/ftos/ip
/ftos/ip/route
/ftos/router
/ftos/router/bgp
/ftos/stats
/ftos/stats/ip
/ftos/stats/ip/bgp
/ftos/stats/ip/bgp/neighbors/neighbor
/ftos/stats/ip/bgp/neighbors/neighbor{%s}
/ftos/stats/ip/bgp/neighbors/neighbor{%s}/advertisedRoutes/prefixList
/ftos/stats/ip/bgp/neighbors/neighbor{%s}/receivedRoutes/prefixList
/ftos/stats/ip/bgp/routes/prefixList
/ftos/stats/ip/bgp/routes/prefixList{%s}
/ftos/stats/ip/bgp/{%s}
/interface
/interfaces
/kern/sysimg
/mac/access-group
/mac/learning-limit
/port-channel/name
/priv16imagetemp
/ramdisk-tmp:
/ramdisk-tmp:/bootimagetemp
/ramdisk-tmp:/priv16imagetemp
/ramdisk-tmp:/sysimagetemp
/ramdisk-tmp:/sysimagetempA
/ramdisk-tmp:/sysimagetempB
/ramdisk:
/ramdisk:/autoexec.temp
/ramdisk:/bliimagetemp
/ramdisk:/bootimagetemp
/ramdisk:/bootselimagetemp
/ramdisk:/priv16imagetemp
/ramdisk:/startup-config.dnld.temp
/ramdisk:/sysimagetemp
/s4810FanRegDump
/sysimagetemp
/sysimagetempA
/sysimagetempB
/tengigabitethernet/name
/tgtimg/download_runtime
/tmp
/tmp/_scp_empty_.dat
/tmp/compressed-config
/tmp/cryptShow
/tmp/dhclienttmp.leases
/tmp/dhcpd.leases
/tmp/errlog
/tmp/inetd.conf
/tmp/netstat_out
/tmp/running-config
/tmp/sysinfo.tmp
/tmp/tcpdumptime
/tmp/telnetd.vrf
/tmpimg/FTOS-S60_BM
/usr/bin/gnupg
/usr/bin/login
/usr/bin/su
/usr/libexec/ld.elf_so
/usr/pkg
/usr/pkg/%s
/usr/pkg/bin/su
/usr/pkg/home/%s
/usr/pkg/installed-packages
/usr/pkg/oa_pkg_agent_debug
/usr/pkg/sbin
/usr/pkg/scripts/VSNAgent/VMWare/VSNAgent.pl
/usr/pkg/scripts/VSNAgent/Xen/hpAgtMain.py
/usr/pkg/ss-scripts
/usr/pkg/tmpOpInstall
/usr/pkg/tmpOpUninstall
/usr/sbin/tcpdump
/var/NTP/
/vrf
/vrf/%s
/vrf/%s%s
/vrf/%s/%s
/vrf/%s/et
Possible security issues
- NTP & DNS: The configuration documentation states that Force10 switches only work in client mode. But the client might be still vulnerable to malicious servers.
- NetBSD 1.6.1 (FTOS 8.x):
- IPv6 path MTU discovery: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-002.txt.asc
- OpenSSL: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-017.txt.asc
- OpenSSL: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc
- OpenSSH: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.txt.asc
- realpath: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc
- SIOCGIFALIAS ioctl: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-012.txt.asc
- kernfs filesystem: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-001.txt.asc
- ftpd: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc
- TCP: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc
- shmat syscall: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-004.txt.asc
- NetBSD 5.1 (FTOS9.x)
- OpenSSL: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc
- OpenSSL: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc
- OpenSSL: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-006.txt.asc
- OpenSSL: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-002.txt.asc
- OpenSSL: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-001.txt.asc
- ftp: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc
- setsockopt syscall: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-012.txt.asc
- modctl syscall: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc
- IPCOMP packets: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc
Side notes
- People run FTP on the Internet: https://www.shodan.io/search?query=Dell+Force10+port%3A"21"
- People run SNMP on the Internet: https://www.shodan.io/search?query=Dell+Force10+port%3A"161"
- When comparing the SNMP device information (see https://www.shodan.io/search?query=Dell+Force10+Application+Software+Version), Dell seems to call firmware <= 8.x 'OS version 1.0' and firmware 9.x 'OS version 2.0'. It seems they wanted to express the big step from NetBSD 1.6.1 to 5.1 in this way.
- PGP is used for the 'FTSA Messaging Service' feature (automatic bug reporting to Dell and own IT staff).