xylan.omniswitch.txt

1999-08-17T00:00:00
ID PACKETSTORM:12090
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 31 Mar 1999 19:12:20 +0000  
From: pmsac@TOXYN.ORG  
To: BUGTRAQ@netspace.org  
Subject: Xylan OmniSwitch "features"  
  
Sorry if this is already known.  
  
Stepped into two "features" of Xylan OmniSwitches (also works on Pizza).  
These switches are sold OEM to Alcatel (which just bought Xylan) and IBM.  
  
Number one: anyone can telnet to the switch and login, without knowing  
either user or passwod strings. No permission will be given to perform  
any command, which is not so bad.  
This could work as a DoS, because software versions until 3.1.8 (don't know  
about later ones) only allow one interactive session, displaying a message  
of "System alread in use" in other attempts. However, since you can do this  
DoS even without logging in (just sitting at the login prompt) it's not much  
of a DoS.  
  
Number two: anyone can ftp to the switch, whitout knowing either user or  
password strings. Everyone is allowed to read all files in the flash,  
and even upload files (but not remove or overwrite existing ones).  
Since reading all files gives access to SNMP community strings, this could  
be trouble, which are stored in clear text on one of the files, and writing  
files, well, just use your imagination.  
  
This was tested on software version 3.1.8 (the lastest I can access).  
  
Thanks to cock@p.ulh.as, which helped test the vulnerability.  
  
Have a nice day.  
  
Disclaimers:  
- This "feature" report was only sent here, personal option; software that's  
worth thounsands of dollars should be better beta tested;  
- I do know switches aren't generally accessible from the internet.  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 2 Apr 1999 01:41:40 +0000  
From: pmsac@TOXYN.ORG  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
No, it wasn't an April Fools joke.  
  
To put things real clear, and as I said in the original post:  
  
-quote-  
This was tested on software version 3.1.8 (the latest I can access).  
-end quote-  
  
Although I said the user could login/ftp without knowing either user or  
password strings, I _didn't_ said it would be just a matter of  
entering random characters and pressing carriage return (that would be  
a really funny one, but hey, it's not much further from the real thing).  
  
To the folks who just wrote me some nice mail saying something as  
constructive as  
  
-quote-  
We don't think so;  
or:  
we don't think, so...  
-end quote-  
  
well, think again (I do have some more things to do than posting a  
product of my imagination to bugtraq - gee, I must have tested before  
I posted, what about that ? ):  
  
- copy & paste ---------------------------------------------------------  
[pmsac@localhost pmsac]$ telnet switch  
Trying www.xxx.yyy.zzz...  
Connected to www.xxx.yyy.zzz.  
Escape character is '^]'.  
  
  
  
Welcome to the Xylan OmniSwitch! Version 3.1.8  
login : ajsdkal  
password:  
  
**********************************************************************  
  
Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc.  
All rights reserved.  
-end copy & paste ------------------------------------------------------  
  
When you get the password prompt, just press ctrl+d (^D), the user  
string is arbitrary. You won't get privileges to run any command, not  
even the "exit" one, you have to close the connection "manually".  
  
The ftp "feature" is a little different, but, answering to  
  
-quote-  
I would very much appreciate an exploit or more detailed explanation  
of this vulnerability. We do have Omniswitches 'round these parts.  
  
This is an odd sort of "full-disclosure" posting, BW.  
-end quote-  
  
which was a rather polite mail, that's not the question, did I  
said it was a full-disclosure post ? It would be real fun, had  
I put it all in the open, that one of your lusers (or one of  
mine, for that matter), worked it's way trough all the switches...  
specially since this is not open source/free software (if it would,  
I would have contacted the author(s) first) and I could not publish a  
patch or a temporary way of disabling the "features". And no, we (I)  
don't need a thread about "full-disclosure and/or getting in touch  
with the author(s) first", read the disclaimers, it's a personal option.  
  
Sorry for all the ranting, thanks again to cock@p.ulh.as, which helped  
test the vulnerability.  
  
Have a nice day.  
  
Disclaimers:  
- This "feature" report was only sent here, personal option; software that's  
worth thousands of dollars should be better beta tested;  
- I do know switches aren't generally accessible from the Internet.  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 1 Apr 1999 14:31:00 -0500  
From: Jeff Murphy <jcmurphy@SMURFLAND.CIT.BUFFALO.EDU>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
we tried this with Version 3.2.5.17 and we're able to get in.  
  
-- inserted text --  
  
> Number one: anyone can telnet to the switch and login, without knowing  
> either user or passwod strings. No permission will be given to perform  
  
If I understand this, I can hit CR and get in. Just hitting CR keeps  
returning the login prompt, using any other character gets me to password,  
but CR returns login failure.  
  
> Number two: anyone can ftp to the switch, whitout knowing either user or  
> password strings.  
  
Nope, couldn't get in.  
  
-- end inserted text --  
  
-------------------------------------------------------------------------------  
  
Date: Mon, 5 Apr 1999 13:17:49 -0400  
From: Jeff Murphy <jcmurphy@SMURFLAND.CIT.BUFFALO.EDU>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
Jeff Murphy <jcmurphy@SMURFLAND.CIT.BUFFALO.EDU> writes:  
  
> we tried this with Version 3.2.5.17 and we're able to get in.  
  
^^^^  
i meant to type "weren't" but left out a couple letters.  
i.e. we can not get in using your instructions.  
  
>  
> -- inserted text --  
>  
> > Number one: anyone can telnet to the switch and login, without knowing  
> > either user or passwod strings. No permission will be given to perform  
>  
> If I understand this, I can hit CR and get in. Just hitting CR keeps  
> returning the login prompt, using any other character gets me to password,  
> but CR returns login failure.  
>  
> > Number two: anyone can ftp to the switch, whitout knowing either user or  
> > password strings.  
>  
> Nope, couldn't get in.  
>  
> -- end inserted text --  
  
-------------------------------------------------------------------------------  
  
Date: Mon, 5 Apr 1999 13:41:52 -0500  
From: Greg Hodges <mrx@STAN.KSNI.NET>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
I am unable to reproduce the telnet "feature" on 3.1.3.3(A), 3.2.5, 3.2.6.4(I), 3.2.7.12(C), and 3.4.2.  
  
Greg Hodges  
  
-------------------------------------------------------------------------------  
  
Date: Mon, 5 Apr 1999 16:30:39 -0400  
From: "Wall, Teresa" <TWall@OSC.USCG.MIL>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
unable to get into Xylan OmniSwitch running 3.4.3.28  
  
-------------------------------------------------------------------------------  
  
Date: Tue, 6 Apr 1999 01:20:29 -0400  
From: willp2 <willp2@DREAMSCAPE.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
I tested this on Xylan's 3.2.5 code.  
I could not reproduce the bug.  
  
-------------------------------------------------------------------------------  
  
Date: Tue, 6 Apr 1999 17:36:23 -0500  
From: Chris Sterling <lemmy@EAZE.NET>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
The telnet bug does work on 3.1.9  
  
  
--------------------------------  
Chris Sterling   
System Administrator  
EazeNet   
lemmy@eaze.net  
Office: 817-557-3038  
Fax: 817-557-3468  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 8 Apr 1999 16:18:33 +0100  
From: pmsac <pmsac@TOXYN.ORG>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
Ok, from all the posts on this thread and from some private  
mails:  
  
3.2.3 is reported vulnerable to the telnet "feature".  
3.2.5 is reported not vulnerable to the same "feature".  
  
Xylan has now the info on the ftp vulnerability.  
About the telnet "feature" they said:  
-quote-  
The "telnet" vulnerability was fixed prior to software release 3.2.6.  
-end quote-  
  
--  
pmsac@toxyn.org  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 9 Apr 1999 11:28:02 +0100  
From: Rui Pedro Bernardino <rbernardino@bta.pt>  
To: BUGTRAQ@netspace.org  
Subject: Re: Xylan OmniSwitch "features"  
  
Please remember this isn't a plain "switch", considering it  
can run Checkpoint's fw-1 and WAN interfaces...  
  
  
--  
Rui Pedro Bernardino Gab. Seguranca Informatica  
Av. Miguel Bombarda, No 4, 8o Tel. +351 1 7922200 ext. 117810  
1049-058 Lisboa Fax. +351 1 7922497  
Portugal Mob. +351 931 7489996  
`