[NEWS] RPC-3 Telnet Host Authentication Bypassing
From: SecuriTeam (support_at_securiteam.com)
Date: 04/05/05
- Previous message: SecuriTeam: "[UNIX] phpMyAdmin convcharset Parameter Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 Apr 2005 13:26:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
RPC-3 Telnet Host Authentication Bypassing
------------------------------------------------------------------------
SUMMARY
Bay Technical Associates'
<http://www.baytechdcd.com/products/rpcseries.shtml> RPC-3 Telnet Host is
a telnet daemon, used by many hardware appliances, mostly for power
supplies solutions.
When a user logs into RPC-3 Telnet Host he can bypass authentication
mechanism and gain full control over the device by sending it a malformed
username.
DETAILS
Vulnerable Systems:
* RPC-3 Telnet Host - Revision F3.05
When a user logs into this telnet daemon he is able to gain full control
of the device (in this example a power supply). This vulnerability could
allow an unauthorized user to login to a power supply, and disable power
to a machine, thereby completely shutting down and disabling the
aforementioned machine (or anything else connected to such a power
supply).
To carry out this exploit an attacker simply needs to telnet to the RPC-3
Telnet daemon on the standard telnet port, and when prompted for the
username hit the escape key, and then enter. The attacker will then be
logged into the Telnet Daemon.
Example:
RPC-3 Telnet Host
Revision F 3.05, (C) 1998
Bay Technical Associates
Unit ID: RPC3
Enter username> [escape key] [enter]
Login successful.
Available RPC3 Outlets
For command summary, enter HELP
Circuit Breaker: On
Selection Outlet Outlet Power
Number Name Number Status
ADDITIONAL INFORMATION
The information has been provided by Flare@CiSO.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] phpMyAdmin convcharset Parameter Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
