No, it wasn't an April Fools joke. To put things real clear, and as I said in the original post: -quote- This was tested on software version 3.1.8 (the latest I can access). -end quote- Although I said the user could login/ftp without knowing either user or password strings, I _didn't_ said it would be just a matter of entering random characters and pressing carriage return (that would be a really funny one, but hey, it's not much further from the real thing). To the folks who just wrote me some nice mail saying something as constructive as -quote- We don't think so; or: we don't think, so... -end quote- well, think again (I do have some more things to do than posting a product of my imagination to bugtraq - gee, I must have tested before I posted, what about that ? ): - copy & paste --------------------------------------------------------- [pmsac@localhost pmsac]$ telnet switch Trying www.xxx.yyy.zzz... Connected to www.xxx.yyy.zzz. Escape character is '^]'. Welcome to the Xylan OmniSwitch! Version 3.1.8 login : ajsdkal password: ********************************************************************** Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc. All rights reserved. -end copy & paste ------------------------------------------------------ When you get the password prompt, just press ctrl+d (^D), the user string is arbitrary. You won't get privileges to run any command, not even the "exit" one, you have to close the connection "manually". The ftp "feature" is a little different, but, answering to -quote- I would very much appreciate an exploit or more detailed explanation of this vulnerability. We do have Omniswitches 'round these parts. This is an odd sort of "full-disclosure" posting, BW. -end quote- which was a rather polite mail, that's not the question, did I said it was a full-disclosure post ? It would be real fun, had I put it all in the open, that one of your lusers (or one of mine, for that matter), worked it's way trough all the switches... specially since this is not open source/free software (if it would, I would have contacted the author(s) first) and I could not publish a patch or a temporary way of disabling the "features". And no, we (I) don't need a thread about "full-disclosure and/or getting in touch with the author(s) first", read the disclaimers, it's a personal option. Sorry for all the ranting, thanks again to cockat_private, which helped test the vulnerability. Have a nice day. Disclaimers: - This "feature" report was only sent here, personal option; software that's worth thousands of dollars should be better beta tested; - I do know switches aren't generally accessible from the Internet.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:28 PDT