On Thu, 31 Mar 2005, nolimit bugtraq wrote:
> Versions Tested:
> RPC-3 Telnet Host - Revision F 3.05, (C) 1998
>
> This is a basic login-bypass vulnerability found in the RPC-3 Telnet
> Host v 3.05 made by "Bay Technical Associates". This telnet daemon is
> used by many hardware appliances, often times power supplies. When a
> user logs into this telnet daemon they are able to gain full control
> of the device (in this example a power supply). We consider this
> vulnerability an extreme risk as it could allow an unauthorized user
> to login to a power supply, and disable power to a machine, thereby
> completely shutting down and disabling the aforementioned machine (or
> anything else connected to such a power supply).
>
> To carry out this exploit an attacker simply needs to telnet to the
> RPC-3 Telnet daemon on the standard telnet port, and when prompted for
> the username hit the escape key, and then enter. The attacker will
> then be logged into the Telnet Daemon.
>
> This attack was tested on RPC-3 Telnet Host version 3.05. Other
> versions were not available for testing; they may or may not prove to
> have the same vulnerability.
RPC-3 Telnet Host Revision F5.10.4 is not vulnerable to this
particular sequence. I have no idea about other revisions.
Michael Brennen
President, FishNet(R), Inc.
Professional Internet Services
Received on Mar 31 2005
Intro
