lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200803252242.m2PMgcsZ008472@faron.mitre.org>
Date: Tue, 25 Mar 2008 18:42:38 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: hacking the mitsubishi GB-50A


Based on an online copy of the GB-50A manual that I found, there are
dip switches that can be used to set IP address ranges between
192.168.1.1 and 192.168.1.15 (page 14).

However, if all dip switches are off, the unit can defer to
configuration as provided via an "Initial Setting Web".  This tool can
be used to set the IP address (page 13).  There is no statement that
the tool restricts which address can be set, nor is there a
recommendation that only local addresses should be used.

It doesn't seem like much of a stretch that an admin might want to
modify the address to something other than private addresses.  Whether
the Initial Setting Web will allow this is another question, but if
so, then the scope of attack widens considerably.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ