Date: Tue, 5 Oct 2010 09:24:52 -0400
From: Shawn Merdinger <shawnmer@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd: [CASE:12632] Warning: BrailleNote Apex
 Offers Read/Write FTP And Telnet Access To All Comers

FYI,

HumanWare is tracking this as CASE:12632

Cheers,
--scm


---------- Forwarded message ----------
From: Tom Burton <tom.burton@...anware.com>
Date: Tue, Oct 5, 2010 at 9:05 AM
Subject: RE: [Full-disclosure] Warning: BrailleNote Apex Offers
Read/Write FTP And Telnet Access To All Comers
To: Shawn Merdinger <shawnmer@...il.com>


Hello Shawn,

Thanks for forwarding this information onto us. We will make our
developers aware.


Kind regards,

Tom
________________________________

Tom Burton
Technical Support Assistant
HumanWare Europe

-----Original Message-----
From: Shawn Merdinger [mailto:shawnmer@...il.com]
Sent: 01 October 2010 22:49
To: EU. Support; US info; au-sales@...anware.com
Subject: Fwd: [Full-disclosure] Warning: BrailleNote Apex Offers
Read/Write FTP And Telnet Access To All Comers

---------- Forwarded message ----------
From: Sabahattin Gucukoglu <mail@...ahattin-gucukoglu.com>
Date: Fri, Oct 1, 2010 at 5:31 PM
Subject: [Full-disclosure] Warning: BrailleNote Apex Offers Read/Write
FTP And Telnet Access To        All Comers
To: braillenote@...t.humanware.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
me-mates@...ahattin-gucukoglu.com, support@...anware.com


BrailleNote Apex offers telnet and FTP access on the standard ports,
with read/write privilege on the entire file system, to all comers.
No authentication is required.  BrailleNote is unsafe on any network
whose devices you are not in full charge of, and which (by NAT or
firewall) does not protect BrailleNote from the Internet.

I am happy and sad.  In a chance port scan of my entire network
looking for interesting services and protocols that were not accounted
for by visible configuration options in all my devices, I found this
disaster staring me in the face on the least likely candidate of them
all.  On the one hand, now I don't need ActiveStink in order to access
my files, over the network, from my Mac.  I want these services
running, for sure (maybe just FTP) but dammit, authentication first!
On the other hand, there is no doubt my trust in HumanWare is badly
dented, as I was clearly optimistic that they would, and did, do the
right thing and secure the device firmware before shipping it.
Anonymous FTP and telnet are obvious, easily found and effectively
exploited.  If it isn't configurable, it shouldn't be enabled.  I am
quite sure this was the case before now.  The most likely explanation
is a build with a test configuration and services for development
still in use on the newest model; the
 USB vendor string is further evidence of this.  Note to self: that
popular expression about assumptions turns out to be true.

KeySoft version 9.0.2 build 756, Windows CE 6.0, with telnet and FTP services.

While we await an update that either disables the services or allows
the user to specify the authentication credentials, do not use your
BrailleNote Apex on any untrusted network, or if you are network
administrator, temporarily prohibit these devices from connecting to
your networks.  If "Bad guys" are on your network, the BrailleNote
Apex is, alas, easy meat.

Cheers,
Sabahattin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists