Bugtraq mailing list archives
Re: Compaq/Microcom 6000 DoS + more
From: costa () MDI CA (Shiloh Costa)
Date: Fri, 14 Aug 1998 09:39:20 -0700
Enclosed is my open reply to Compaq/Microcom: --------------------------------------------- At 10:31 AM 14/08/98 -0500, you wrote:
The Compaq 6000 has no security problems.
Yes it does.
The problem is that ALEC does not know how to deny telnet to specific Ip addresses.
No. The problem is that your username/password login process is poorly written. Did you read this? If so, please read it over 10 times, and then have someone else rephrase it for you:
The denial of service problem is this: there is no timeout when typing in the username and password - from what I have seen, a user can make a telnet connection to the MNC or PRI card and leave the connection open indefinitely. If the user only has one connection open, then this is not problem. However, the system will not accept more than 4 telnet connections at one time. Thus, a malicious user/hacker could open 4 telnet connections to either (or both cards) and deny all legitimate connections to the card. The other problem is that the system does not close the connection after a specified number of invalid login attempts. A program such as 'crack'
If I want to make 4 subsequent telnet sessions to the Login/Username prompt, it will stop the rightful owner from accessing the machine unless he powercycles it. That is a denial of Service. Also, the login and password attempts should time out if no data is received over a certain amount of time. Futhermore, after 3 incorrect password entries, it should reset and cause the person to re-telnet the box. This is standard with the Ascend Max product we use, as well as, the Computone Powerrack we use.
That was the solution we gave him, he did not like it. Maybe it's too much work.
No, maybe its not fixing the real issue which is an improperly written Login/Password interface.
The above mentioned solution should be standard policy for any system administrator, that has internet access on his network. Not only for the 6000, but any server's or any communication equipment that is on a given network.
You're 100% wrong.
Jim Kerwin COMPAQ - NAC Networking Support Engineer *E-Mail: James.Kerwin () compaq com
Jim.. Rather than cause futher embarassment to your company, please get engineering to put some modifications in the next kernel release. Shiloh Costa Senior System Administrator MDI Internet Inc.
Current thread:
- Compaq/Microcom 6000 DoS + more Microcom Support (Jun 03)
- Re: Compaq/Microcom 6000 DoS + more Alec Kosky (Aug 12)
- solaris 2.x rdist exploit / too many humbles :p John McDonald (Aug 12)
- Re: Compaq/Microcom 6000 DoS + more Shiloh Costa (Aug 14)