Re: Bay Technical Associates telnet server logon bypass

[Michael Brennen <mbrennen () fni com>]

On Thu, 31 Mar 2005, nolimit bugtraq wrote:

> Versions Tested:
> RPC-3 Telnet Host - Revision F 3.05, (C) 1998
>
> This is a basic login-bypass vulnerability found in the RPC-3 Telnet
> Host v 3.05 made by "Bay Technical Associates".  This telnet daemon is
> used by many hardware appliances, often times power supplies.  When a
> user logs into this telnet daemon they are able to gain full control
> of the device (in this example a power supply). We consider this
> vulnerability an extreme risk as it could allow an unauthorized user
> to login to a power supply, and disable power to a machine, thereby
> completely shutting down and disabling the aforementioned machine (or
> anything else connected to such a power supply).
>
> To carry out this exploit an attacker simply needs to telnet to the
> RPC-3 Telnet daemon on the standard telnet port, and when prompted for
> the username hit the escape key, and then enter.  The attacker will
> then be logged into the Telnet Daemon.
>
> This attack was tested on RPC-3 Telnet Host version 3.05. Other
> versions were not available for testing; they may or may not prove to
> have the same vulnerability.

RPC-3 Telnet Host Revision F5.10.4 is not vulnerable to this 
particular sequence.  I have no idea about other revisions.

   Michael Brennen
   President, FishNet(R), Inc.
   Professional Internet Services