[7672] in bugtraq
Re: Compaq/Microcom 6000 DoS + more
daemon@ATHENA.MIT.EDU (Shiloh Costa)
Fri Aug 14 13:07:07 1998
Date: Fri, 14 Aug 1998 09:39:20 -0700
Reply-To: Shiloh Costa <costa@MDI.CA>
From: Shiloh Costa <costa@MDI.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <01BD8EFC.379275D0.support@microcom.com>
Enclosed is my open reply to Compaq/Microcom:
---------------------------------------------
At 10:31 AM 14/08/98 -0500, you wrote:
>
>The Compaq 6000 has no security problems.
Yes it does.
>The problem is that ALEC does not know how to deny telnet to specific Ip
>addresses.
No. The problem is that your username/password login process is poorly
written.
Did you read this? If so, please read it over 10 times, and then have
someone else rephrase it for you:
> The denial of service problem is this: there is no timeout when typing
>in the username and password - from what I have seen, a user can make a
>telnet connection to the MNC or PRI card and leave the connection open
>indefinitely. If the user only has one connection open, then this is not
>problem. However, the system will not accept more than 4 telnet connections
>at one time. Thus, a malicious user/hacker could open 4 telnet connections
>to either (or both cards) and deny all legitimate connections to the card.
> The other problem is that the system does not close the connection after
>a specified number of invalid login attempts. A program such as 'crack'
>
If I want to make 4 subsequent telnet sessions to the Login/Username
prompt, it will stop the rightful owner from accessing the machine unless
he powercycles it. That is a denial of Service.
Also, the login and password attempts should time out if no data is
received over a certain amount of time.
Futhermore, after 3 incorrect password entries, it should reset and cause
the person to re-telnet the box.
This is standard with the Ascend Max product we use, as well as, the
Computone Powerrack we use.
>That was the solution we gave him, he did not like it. Maybe it's too much
>work.
No, maybe its not fixing the real issue which is an improperly written
Login/Password interface.
>The above mentioned solution should be standard policy for any system
>administrator, that has internet access on his network. Not only for the
>6000, but any server's or any
>communication equipment that is on a given network.
You're 100% wrong.
>Jim Kerwin
>COMPAQ - NAC
>Networking Support Engineer
>*E-Mail: James.Kerwin@compaq.com
Jim..
Rather than cause futher embarassment to your company, please get
engineering to put some modifications in the next kernel release.
Shiloh Costa
Senior System Administrator
MDI Internet Inc.
