Bugtraq mailing list archives
Re: Bay Technical Associates telnet server logon bypass
From: Michael Brennen <mbrennen () fni com>
Date: Thu, 31 Mar 2005 15:52:57 -0600 (CST)
On Thu, 31 Mar 2005, nolimit bugtraq wrote:
Versions Tested: RPC-3 Telnet Host - Revision F 3.05, (C) 1998 This is a basic login-bypass vulnerability found in the RPC-3 Telnet Host v 3.05 made by "Bay Technical Associates". This telnet daemon is used by many hardware appliances, often times power supplies. When a user logs into this telnet daemon they are able to gain full control of the device (in this example a power supply). We consider this vulnerability an extreme risk as it could allow an unauthorized user to login to a power supply, and disable power to a machine, thereby completely shutting down and disabling the aforementioned machine (or anything else connected to such a power supply). To carry out this exploit an attacker simply needs to telnet to the RPC-3 Telnet daemon on the standard telnet port, and when prompted for the username hit the escape key, and then enter. The attacker will then be logged into the Telnet Daemon. This attack was tested on RPC-3 Telnet Host version 3.05. Other versions were not available for testing; they may or may not prove to have the same vulnerability.
RPC-3 Telnet Host Revision F5.10.4 is not vulnerable to this particular sequence. I have no idea about other revisions.
Michael Brennen President, FishNet(R), Inc. Professional Internet Services
Current thread:
- Bay Technical Associates telnet server logon bypass nolimit bugtraq (Mar 31)
- Re: Bay Technical Associates telnet server logon bypass Michael Brennen (Mar 31)