[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AF026AF0FF4B054590228FD1F1DE516502029098@inbox.agresearch.co.nz>
Date: Fri, 20 Feb 2004 10:27:31 +1300
From: "Miskell, Craig" <Craig.Miskell@...esearch.co.nz>
To: <bugtraq@...urityfocus.com>
Subject: RE: APC 9606 SmartSlot Web/SNMP management card "backdoor" - Telnet can't be disabled.
The device appears to need a "restart for this change to take effect"
(to quote a phrase from another OS). We have a 9604 (which,
incidentally, appears to have the same default password, although the
details once logged in are different), and telnet wasn't disabled until
I had logged in via telnet and logged out again. The device warmstarted
when I logged out, and telnet was subsequently truly disabled.
HTH,
Craig Miskell
> -----Original Message-----
> From: David Monosov [mailto:david.monosov@...ureinquestion.net]
> Sent: Friday, 20 February 2004 4:14 a.m.
> To: bugtraq@...urityfocus.com
> Subject: APC 9606 SmartSlot Web/SNMP management card
> "backdoor" - Telnet can't be disabled.
>
>
> To your attention: This comes from limited experience with
> one version of
> the 9606 firmware (v3.0.3) on MasterSwitch 9xxx series,
> tested across many
> of the devices:
>
> Although provided an option to disable telnet
> administratively via the Web
> interface as well as the Telnet interface itself - telnet does *NOT*
> actually gets disabled.
>
> It disables itself for a matter of approx +/- 20 seconds, and
> comes back as
> if nothing ever happened. Repeating attempts to disable
> telnet access are
> futile. The only effective method of preventing possible
> exploitation seems
> to be filtering port 23 on the network level. This seems to be another
> firmware issue.
>
> Please check your APC's using 9606, your sense of security
> from disabling
> telnet might be false :(
>
> ---
> David 'wEEkAY' Monosov
> david dot monosov at futureinquestion dot net
>
>
>
>
>
>
>
=======================================================================
Attention: The information contained in this message and/or attachments
from AgResearch Limited is intended only for the persons or entities
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipients is prohibited by AgResearch
Limited. If you have received this message in error, please notify the
sender immediately.
=======================================================================
Powered by blists - more mailing lists