[10109] in bugtraq
Re: Xylan OmniSwitch "features"
daemon@ATHENA.MIT.EDU (Greg Hodges)
Tue Apr 6 17:11:50 1999
Date: Mon, 5 Apr 1999 13:41:52 -0500
Reply-To: Greg Hodges <mrx@STAN.KSNI.NET>
From: Greg Hodges <mrx@STAN.KSNI.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Fri, 02 Apr 1999 01:41:40 GMT."
<19990402014140.DFTY8289@[194.65.11.10]>
I am unable to reproduce the telnet "feature" on 3.1.3.3(A), 3.2.5, 3.2.6.4(I), 3.2.7.12(C), and 3.4.2.
Greg Hodges
> No, it wasn't an April Fools joke.
>
> To put things real clear, and as I said in the original post:
>
> -quote-
> This was tested on software version 3.1.8 (the latest I can access).
> -end quote-
>
> Although I said the user could login/ftp without knowing either user or
> password strings, I _didn't_ said it would be just a matter of
> entering random characters and pressing carriage return (that would be
> a really funny one, but hey, it's not much further from the real thing).
>
> To the folks who just wrote me some nice mail saying something as
> constructive as
>
> -quote-
> We don't think so;
> or:
> we don't think, so...
> -end quote-
>
> well, think again (I do have some more things to do than posting a
> product of my imagination to bugtraq - gee, I must have tested before
> I posted, what about that ? ):
>
> - copy & paste ---------------------------------------------------------
> [pmsac@localhost pmsac]$ telnet switch
> Trying www.xxx.yyy.zzz...
> Connected to www.xxx.yyy.zzz.
> Escape character is '^]'.
>
>
>
> Welcome to the Xylan OmniSwitch! Version 3.1.8
> login : ajsdkal
> password:
>
> **********************************************************************
>
> Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc.
> All rights reserved.
> -end copy & paste ------------------------------------------------------
>
> When you get the password prompt, just press ctrl+d (^D), the user
> string is arbitrary. You won't get privileges to run any command, not
> even the "exit" one, you have to close the connection "manually".
>
> The ftp "feature" is a little different, but, answering to
>
> -quote-
> I would very much appreciate an exploit or more detailed explanation
> of this vulnerability. We do have Omniswitches 'round these parts.
>
> This is an odd sort of "full-disclosure" posting, BW.
> -end quote-
>
> which was a rather polite mail, that's not the question, did I
> said it was a full-disclosure post ? It would be real fun, had
> I put it all in the open, that one of your lusers (or one of
> mine, for that matter), worked it's way trough all the switches...
> specially since this is not open source/free software (if it would,
> I would have contacted the author(s) first) and I could not publish a
> patch or a temporary way of disabling the "features". And no, we (I)
> don't need a thread about "full-disclosure and/or getting in touch
> with the author(s) first", read the disclaimers, it's a personal option.
>
> Sorry for all the ranting, thanks again to cock@p.ulh.as, which helped
> test the vulnerability.
>
> Have a nice day.
>
> Disclaimers:
> - This "feature" report was only sent here, personal option; software that's
> worth thousands of dollars should be better beta tested;
> - I do know switches aren't generally accessible from the Internet.
