[10094] in bugtraq
Re: Xylan OmniSwitch "features"
daemon@ATHENA.MIT.EDU (pmsac@TOXYN.ORG)
Mon Apr 5 13:50:38 1999
Date: Fri, 2 Apr 1999 01:41:40 +0000
Reply-To: pmsac@TOXYN.ORG
From: pmsac@TOXYN.ORG
To: BUGTRAQ@NETSPACE.ORG
No, it wasn't an April Fools joke.
To put things real clear, and as I said in the original post:
-quote-
This was tested on software version 3.1.8 (the latest I can access).
-end quote-
Although I said the user could login/ftp without knowing either user or
password strings, I _didn't_ said it would be just a matter of
entering random characters and pressing carriage return (that would be
a really funny one, but hey, it's not much further from the real thing).
To the folks who just wrote me some nice mail saying something as
constructive as
-quote-
We don't think so;
or:
we don't think, so...
-end quote-
well, think again (I do have some more things to do than posting a
product of my imagination to bugtraq - gee, I must have tested before
I posted, what about that ? ):
- copy & paste ---------------------------------------------------------
[pmsac@localhost pmsac]$ telnet switch
Trying www.xxx.yyy.zzz...
Connected to www.xxx.yyy.zzz.
Escape character is '^]'.
Welcome to the Xylan OmniSwitch! Version 3.1.8
login : ajsdkal
password:
**********************************************************************
Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc.
All rights reserved.
-end copy & paste ------------------------------------------------------
When you get the password prompt, just press ctrl+d (^D), the user
string is arbitrary. You won't get privileges to run any command, not
even the "exit" one, you have to close the connection "manually".
The ftp "feature" is a little different, but, answering to
-quote-
I would very much appreciate an exploit or more detailed explanation
of this vulnerability. We do have Omniswitches 'round these parts.
This is an odd sort of "full-disclosure" posting, BW.
-end quote-
which was a rather polite mail, that's not the question, did I
said it was a full-disclosure post ? It would be real fun, had
I put it all in the open, that one of your lusers (or one of
mine, for that matter), worked it's way trough all the switches...
specially since this is not open source/free software (if it would,
I would have contacted the author(s) first) and I could not publish a
patch or a temporary way of disabling the "features". And no, we (I)
don't need a thread about "full-disclosure and/or getting in touch
with the author(s) first", read the disclaimers, it's a personal option.
Sorry for all the ranting, thanks again to cock@p.ulh.as, which helped
test the vulnerability.
Have a nice day.
Disclaimers:
- This "feature" report was only sent here, personal option; software that's
worth thousands of dollars should be better beta tested;
- I do know switches aren't generally accessible from the Internet.
