Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: John McInnes (johnDISSENSION.NET)
Date: Tue Apr 10 2001 - 22:08:18 CDT
I've been testing a Lightwave ConsoleServer 3200 recently, and have
come across some potentially dangerous security weaknesses with the
To log in to the unit, you telnet to the console server on TCP port
23 for regular user access, or 5000 for the System Administrator. When
you initiate a telnet session, you are automatically dropped to a CLI,
where you can type 'login' to start an authenticated session.
The problems that I have discovered are that the system is vulnerable
to brute force style password attacks, and that a malicous user can
glean a certain amount of information about the unit and its
enviroment without authentication of any kind.
To be specific:
When telneting to the unit on port 23 to log in as a regular user, the
connection is immediately accepted and you are dropped to a "pre-login
prompt", where you must type 'login' to log in to the unit.
After an unsuccessfull login, you are again returned to the
"pre-login prompt" where you can again type 'login' and start over.
There are no delays associated with a failed login attempt, nor is the
TCP connection even dropped to at least make brute forcing the unit a
hassle for a malicious user. A brute force attack could be expediated
by already having a list of usernames as described in .
I could not find any configuration option to disable this behaviour,
and worse yet I could not find any way of logging such failed
I have discovered with the ConsoleServer 3200 are that when you telnet
to the unit's System Administrator interface on TCP port 5000, you can
use the inbuilt CLI to glean information in the "pre-login mode".
- What expansion cards are in the unit.
- Who is currently logged into the unit (allowing a malicious user to
gather a list of users on the system).
- What console's (serial ports) have been configured (all of the
serial ports that have been configured have a name, commonly the
hostname of the machine).
- The status of the power supplies.
- Ethernet interface configuration (MAC addr, gateway, netmask).
When you make three incorrect login attempts on the System
Administrator port, the TCP connection is closed, but it seems not
logged anywhere as in .
This sort of information leakage is of great concern to me, and the
common belief that an unauthenticated user should not be able to get
any information at all out of a host.
If a malicous user was able to brute force a login, then he or she
could easily wreak havoc to any hosts or devices connected to the
unit, the scope of which will be left to the imagination of the reader.
My recommendation to Lightwave Com., is to change the firmware so that
upon connection to the telnet ports, you are immediatly prompted to
log in as a user, and when there are 3 or more failed login attempts
the failure is logged and the TCP connection is closed.
My recommendation to anyone that is using one of these terminal
servers is to keep it away from any internet routable network.
-- John McInnes - Email: johnmdissension.net, Phone: +61 410 422 107 http://www.dissension.net/~john/ ---------------------------------------------------------------------- It will be advantageous to cross the great stream ... the Dragon is on the wing in the Sky ... the Great Man rouses himself to his Work.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (OpenBSD) Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrTyp8ACgkQDcGCnKu+T9kOkgCgkLXj87T6wnhwa1eSabP0nepo oEYAn1Mf2tGNt9TAEUPfWnpxIMN/6v/+ =OFos -----END PGP SIGNATURE-----