lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Feb 2004 16:14:04 +0100
From: "David Monosov" <david.monosov@...ureinquestion.net>
To: <bugtraq@...urityfocus.com>
Subject: APC 9606 SmartSlot Web/SNMP management card "backdoor" - Telnet can't be disabled.


To your attention: This comes from limited experience with one version of
the 9606 firmware (v3.0.3) on MasterSwitch 9xxx series, tested across many
of the devices:

Although provided an option to disable telnet administratively via the Web
interface as well as the Telnet interface itself - telnet does *NOT*
actually gets disabled. 

It disables itself for a matter of approx +/- 20 seconds, and comes back as
if nothing ever happened. Repeating attempts to disable telnet access are
futile. The only effective method of preventing possible exploitation seems
to be filtering port 23 on the network level. This seems to be another
firmware issue.

Please check your APC's using 9606, your sense of security from disabling
telnet might be false :(

---
David 'wEEkAY' Monosov
david dot monosov at futureinquestion dot net








Powered by blists - more mailing lists