OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John McInnes (johnDISSENSION.NET)
Date: Tue Apr 10 2001 - 22:08:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    I've been testing a Lightwave ConsoleServer 3200 recently, and have
    come across some potentially dangerous security weaknesses with the
    firmware.

    To log in to the unit, you telnet to the console server on TCP port
    23 for regular user access, or 5000 for the System Administrator. When
    you initiate a telnet session, you are automatically dropped to a CLI,
    where you can type 'login' to start an authenticated session.

    The problems that I have discovered are that the system is vulnerable
    to brute force style password attacks, and that a malicous user can
    glean a certain amount of information about the unit and its
    enviroment without authentication of any kind.

    To be specific:

    [1]

    When telneting to the unit on port 23 to log in as a regular user, the
    connection is immediately accepted and you are dropped to a "pre-login
    prompt", where you must type 'login' to log in to the unit.

    After an unsuccessfull login, you are again returned to the
    "pre-login prompt" where you can again type 'login' and start over.

    There are no delays associated with a failed login attempt, nor is the
    TCP connection even dropped to at least make brute forcing the unit a
    hassle for a malicious user. A brute force attack could be expediated
    by already having a list of usernames as described in [2].

    I could not find any configuration option to disable this behaviour,
    and worse yet I could not find any way of logging such failed
    attempts.

    [2]

    I have discovered with the ConsoleServer 3200 are that when you telnet
    to the unit's System Administrator interface on TCP port 5000, you can
    use the inbuilt CLI to glean information in the "pre-login mode".

    - What expansion cards are in the unit.
    - Who is currently logged into the unit (allowing a malicious user to
      gather a list of users on the system).
    - What console's (serial ports) have been configured (all of the
      serial ports that have been configured have a name, commonly the
      hostname of the machine).
    - The status of the power supplies.
    - Ethernet interface configuration (MAC addr, gateway, netmask).

    When you make three incorrect login attempts on the System
    Administrator port, the TCP connection is closed, but it seems not
    logged anywhere as in [1].

    This sort of information leakage is of great concern to me, and the
    common belief that an unauthenticated user should not be able to get
    any information at all out of a host.

    If a malicous user was able to brute force a login, then he or she
    could easily wreak havoc to any hosts or devices connected to the
    unit, the scope of which will be left to the imagination of the reader.

    My recommendation to Lightwave Com., is to change the firmware so that
    upon connection to the telnet ports, you are immediatly prompted to
    log in as a user, and when there are 3 or more failed login attempts
    the failure is logged and the TCP connection is closed.

    My recommendation to anyone that is using one of these terminal
    servers is to keep it away from any internet routable network.

    Regards,
      - John

    -- 
    John McInnes     - Email: johnmdissension.net, Phone: +61 410 422 107
                                          http://www.dissension.net/~john/
    ----------------------------------------------------------------------
    It will be advantageous to cross the great stream ... the Dragon is on
    the wing in the Sky ... the Great Man rouses himself to his Work.
    

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (OpenBSD) Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjrTyp8ACgkQDcGCnKu+T9kOkgCgkLXj87T6wnhwa1eSabP0nepo oEYAn1Mf2tGNt9TAEUPfWnpxIMN/6v/+ =OFos -----END PGP SIGNATURE-----