lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.62.0503311550360.365@elmer.fni.com>
Date: Thu, 31 Mar 2005 15:52:57 -0600 (CST)
From: Michael Brennen <mbrennen@....com>
To: nolimit bugtraq <nolimit.bugtraq@...il.com>
Cc: ulnwatch@...nwatch.org, bugtraq@...urityfocus.com,
	Full-Disclosure@...ts.grok.org.uk, news@...uriteam.com
Subject: Re: Bay Technical Associates telnet server logon bypass


On Thu, 31 Mar 2005, nolimit bugtraq wrote:

> Versions Tested:
> RPC-3 Telnet Host - Revision F 3.05, (C) 1998
>
> This is a basic login-bypass vulnerability found in the RPC-3 Telnet
> Host v 3.05 made by "Bay Technical Associates".  This telnet daemon is
> used by many hardware appliances, often times power supplies.  When a
> user logs into this telnet daemon they are able to gain full control
> of the device (in this example a power supply). We consider this
> vulnerability an extreme risk as it could allow an unauthorized user
> to login to a power supply, and disable power to a machine, thereby
> completely shutting down and disabling the aforementioned machine (or
> anything else connected to such a power supply).
>
> To carry out this exploit an attacker simply needs to telnet to the
> RPC-3 Telnet daemon on the standard telnet port, and when prompted for
> the username hit the escape key, and then enter.  The attacker will
> then be logged into the Telnet Daemon.
>
> This attack was tested on RPC-3 Telnet Host version 3.05. Other
> versions were not available for testing; they may or may not prove to
> have the same vulnerability.

RPC-3 Telnet Host Revision F5.10.4 is not vulnerable to this 
particular sequence.  I have no idea about other revisions.

    Michael Brennen
    President, FishNet(R), Inc.
    Professional Internet Services

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ