lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 31 Mar 2005 14:48:59 -0500
From: nolimit bugtraq <nolimit.bugtraq@...il.com>
To: ulnwatch@...nwatch.org, bugtraq@...urityfocus.com,
	Full-Disclosure@...ts.grok.org.uk, news@...uriteam.com
Subject: Bay Technical Associates telnet server logon bypass


Vulnerability found by Flare@...O
Greets to nolimit, COREiSO, #news, and class101.

Versions Tested:
RPC-3 Telnet Host - Revision F 3.05, (C) 1998

This is a basic login-bypass vulnerability found in the RPC-3 Telnet
Host v 3.05 made by "Bay Technical Associates".  This telnet daemon is
used by many hardware appliances, often times power supplies.  When a
user logs into this telnet daemon they are able to gain full control
of the device (in this example a power supply). We consider this
vulnerability an extreme risk as it could allow an unauthorized user
to login to a power supply, and disable power to a machine, thereby
completely shutting down and disabling the aforementioned machine (or
anything else connected to such a power supply).

To carry out this exploit an attacker simply needs to telnet to the
RPC-3 Telnet daemon on the standard telnet port, and when prompted for
the username hit the escape key, and then enter.  The attacker will
then be logged into the Telnet Daemon.

This attack was tested on RPC-3 Telnet Host version 3.05. Other
versions were not available for testing; they may or may not prove to
have the same vulnerability.

Example:

RPC-3 Telnet Host
Revision F 3.05, (C) 1998
Bay Technical Associates
Unit ID: RPC3

Enter username> [escape key] [enter]
Login successful.

Available RPC3 Outlets
For command summary, enter HELP

Circuit Breaker: On

Selection   Outlet    Outlet   Power
Number     Name     Number   Status

RPC3> [attacker now has control of the appliance]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ