Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bay Technical Associates telnet server logon bypass

from [Michael Brennen] Network Security [Permanent Link]
Subject: Re: Bay Technical Associates telnet server logon bypass
Date: Thu, 31 Mar 2005 15:52:57 -0600 (CST) 
On Thu, 31 Mar 2005, nolimit bugtraq wrote:

Versions Tested:
RPC-3 Telnet Host - Revision F 3.05, (C) 1998

This is a basic login-bypass vulnerability found in the RPC-3 Telnet
Host v 3.05 made by "Bay Technical Associates".  This telnet daemon is
used by many hardware appliances, often times power supplies.  When a
user logs into this telnet daemon they are able to gain full control
of the device (in this example a power supply). We consider this
vulnerability an extreme risk as it could allow an unauthorized user
to login to a power supply, and disable power to a machine, thereby
completely shutting down and disabling the aforementioned machine (or
anything else connected to such a power supply).

To carry out this exploit an attacker simply needs to telnet to the
RPC-3 Telnet daemon on the standard telnet port, and when prompted for
the username hit the escape key, and then enter.  The attacker will
then be logged into the Telnet Daemon.

This attack was tested on RPC-3 Telnet Host version 3.05. Other
versions were not available for testing; they may or may not prove to
have the same vulnerability.

RPC-3 Telnet Host Revision F5.10.4 is not vulnerable to this particular sequence. I have no idea about other revisions.

   Michael Brennen
   President, FishNet(R), Inc.
   Professional Internet Services

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Bay Technical Associates telnet server logon bypass, nolimit bugtraq
Next by Date:  Re: DoS of LAN via D-Link switches, Scott Nelson
Previous by Thread:  Bay Technical Associates telnet server logon bypass, nolimit bugtraq
Next by Thread:  WindowsXP malformed .wmf files DoS, liquid
Indexes:  [Date] [Thread] [Top] [All Lists]