| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.62.0503311550360.365@elmer.fni.com>
Date: Fri Apr 1 01:07:28 2005
From: mbrennen at fni.com (Michael Brennen)
Subject: Re: Bay Technical Associates telnet server logon
bypass
On Thu, 31 Mar 2005, nolimit bugtraq wrote:
> Versions Tested:
> RPC-3 Telnet Host - Revision F 3.05, (C) 1998
>
> This is a basic login-bypass vulnerability found in the RPC-3 Telnet
> Host v 3.05 made by "Bay Technical Associates". This telnet daemon is
> used by many hardware appliances, often times power supplies. When a
> user logs into this telnet daemon they are able to gain full control
> of the device (in this example a power supply). We consider this
> vulnerability an extreme risk as it could allow an unauthorized user
> to login to a power supply, and disable power to a machine, thereby
> completely shutting down and disabling the aforementioned machine (or
> anything else connected to such a power supply).
>
> To carry out this exploit an attacker simply needs to telnet to the
> RPC-3 Telnet daemon on the standard telnet port, and when prompted for
> the username hit the escape key, and then enter. The attacker will
> then be logged into the Telnet Daemon.
>
> This attack was tested on RPC-3 Telnet Host version 3.05. Other
> versions were not available for testing; they may or may not prove to
> have the same vulnerability.
RPC-3 Telnet Host Revision F5.10.4 is not vulnerable to this
particular sequence. I have no idea about other revisions.
Michael Brennen
President, FishNet(R), Inc.
Professional Internet Services
Powered by blists - more mailing lists