I am unable to reproduce the telnet "feature" on 3.1.3.3(A), 3.2.5, 3.2.6.4(I), 3.2.7.12(C), and 3.4.2. Greg Hodges > No, it wasn't an April Fools joke. > > To put things real clear, and as I said in the original post: > > -quote- > This was tested on software version 3.1.8 (the latest I can access). > -end quote- > > Although I said the user could login/ftp without knowing either user or > password strings, I _didn't_ said it would be just a matter of > entering random characters and pressing carriage return (that would be > a really funny one, but hey, it's not much further from the real thing). > > To the folks who just wrote me some nice mail saying something as > constructive as > > -quote- > We don't think so; > or: > we don't think, so... > -end quote- > > well, think again (I do have some more things to do than posting a > product of my imagination to bugtraq - gee, I must have tested before > I posted, what about that ? ): > > - copy & paste --------------------------------------------------------- > [pmsac@localhost pmsac]$ telnet switch > Trying www.xxx.yyy.zzz... > Connected to www.xxx.yyy.zzz. > Escape character is '^]'. > > > > Welcome to the Xylan OmniSwitch! Version 3.1.8 > login : ajsdkal > password: > > ********************************************************************** > > Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc. > All rights reserved. > -end copy & paste ------------------------------------------------------ > > When you get the password prompt, just press ctrl+d (^D), the user > string is arbitrary. You won't get privileges to run any command, not > even the "exit" one, you have to close the connection "manually". > > The ftp "feature" is a little different, but, answering to > > -quote- > I would very much appreciate an exploit or more detailed explanation > of this vulnerability. We do have Omniswitches 'round these parts. > > This is an odd sort of "full-disclosure" posting, BW. > -end quote- > > which was a rather polite mail, that's not the question, did I > said it was a full-disclosure post ? It would be real fun, had > I put it all in the open, that one of your lusers (or one of > mine, for that matter), worked it's way trough all the switches... > specially since this is not open source/free software (if it would, > I would have contacted the author(s) first) and I could not publish a > patch or a temporary way of disabling the "features". And no, we (I) > don't need a thread about "full-disclosure and/or getting in touch > with the author(s) first", read the disclaimers, it's a personal option. > > Sorry for all the ranting, thanks again to cockat_private, which helped > test the vulnerability. > > Have a nice day. > > Disclaimers: > - This "feature" report was only sent here, personal option; software that's > worth thousands of dollars should be better beta tested; > - I do know switches aren't generally accessible from the Internet.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:35 PDT