|
Date: Wed, 26 Nov 1997 21:30:16 -0500 From: Aleksandr Pilosov <apilos01@UTOPIA.POLY.EDU> To: BUGTRAQ@NETSPACE.ORG Subject: Xyplex terminal server bug As long as we are talking about login bugs on various hardware, here's one I've found about 1.5 years ago (Hi, Jim and Andrew :) If terminal server configured for RADIUS authentication,PPP/CHAP and AutoProtocolDetect, typing Ctrl-Z in username> prompt will drop you directly to command line, as if you logged in correctly. This will not work to get past 'enable' password, though. I am not sure if Xyplex fixed that bug yet, but at least the following version of software is affected: TS/720 V6.0.1S1 Rom 4C0000 HW 00.02.01 Lat Protocol V5.2 Hardware Type: 76 Hardware Revision: 00.02.01 Midplane Type: SwitchPlane Rom Revision: 4C0000 Software Type: Terminal Server Level 4 Software Revision: V6.0.1S1 Protocol Type: LAT, TELNET, RLOGIN, TN3270, SNMP, PPP Date: Mon, 1 Dec 1997 21:50:18 -0800 From: "Matthew G. Harrigan" <matth@MCR.COM> To: BUGTRAQ@NETSPACE.ORG Subject: Re: Xyplex terminal server bug At 09:30 PM 11/26/97 -0500, Aleksandr Pilosov wrote: >I am not sure if Xyplex fixed that bug yet .. [snip] The ctl-z concept can also be applied by simply entering a "?" at the Username: prompt. Likewise, I also found this out some time ago, but did not remember it until I saw your posting. From what I remember, two things happen. 1. The logged in user information is set to "???", which leads me to believe that with some creativity and/or source code, unauthorized (resource challenged) users may be able to force an administrative shell. 2. You are dropped into the command shell in which you are able to utilize all the client programs (i.e. rsh, telnet, etc..). I'm not sure if it is necessarily tied into radius or not. We do not have a xyplex term server in the lab, so if anyone has one they could experiment with, please post the results to this list. Matt Matthew G. Harrigan CIO, Microcosm Computer Resources http://www.mcr.com matth@mcr.com 415-333-1062 Date: Tue, 2 Dec 1997 16:24:51 -0800 From: "Matthew G. Harrigan" <matth@MCR.COM> To: BUGTRAQ@NETSP ffb ACE.ORG Subject: more xyplex commentary comments from Michael Johnson, an experienced (frustrated :) ) xyplex admin: This sounds like the problem that we faced with the Xyplex Terminal Servers and people getting in with "guest" access to our modempool. Our problem: Our guest access dropped people to a prompt and let them go anywhere in our domain, but no where else. This was so people could access our library and such. We used the script services of the Xyplex Terminal server to allow this "guest" access and to setup their permissions. About a month ago, we officially turned off guest access, but people were still getting in by putting a "/" anywhere in the login name. ex: Username:name/ssn This is what was happening: The terminal server would attempt to get a script from the script server that you have defined (if you are using scripts). When an attempt is made to get a script, it first tries (using the above example) "/tftpboot/name/ssn/login", if that doesn't work it backs off one directory (and does this incorrectly in my opinion). Instead of trying /tftpboot/login (taking out the login name of "name/ssn" it only backs off to /tftpboot/name/login). After this failure it assumes a misconfiguration, gives a script server timeout(?) error and gives the person default access. Note that this is only if you have DEFINE PORT ports SCRIPT LOGIN ENABLED If instead you use DEFINE PORT ports SCRIPT LOGIN REQUIRED the same thing happens only the user does not get default access, instead they are logged out. I see this as a bug in the xyplex code where it assumes the directory and file to tftp is part of the login name, but doesn't correctly "back-off" using the full login name (only up to the "/") and trying again. It does this so that you can setup special logins that auto-telnet to certain hosts or somesuch. Its a great feature, but when it fails it does not correctly retry like it does, its a menace. In order, it searches for a login script like this: 1. searches for "/tftpboot/loginname/login" 2. removes the loginname portion of "/loginname" 3. searches for "/tftpboot/login" <-- which exists and runs correctly for us. however, if you put a / in the login name it does this: 1. searches for "/tftpboot/login/name/login" 2. removes only "/name" not "/login/name" like it should 3. searches for "/tftpboot/login/login" 4. dies with script error and if not "required" gives a person default access. Wierd huh? I'm not saying this will fix your problem, but perhaps if you try "REQUIRED"ing whatever option you have turned on instead of just "ENABLED"ing it, this may fix your problem. Are you requiring radius authentication or just enabling it? There is a BIG difference. If radius is enabled and a person enters an invalid login/password sequence and radius fails authentication then it works properly, but if radius just fails with another type of error and since radius is only enabled, not required, you get default access (whatever that may be?). Anyway, its an idea. Matthew G. Harrigan CEO, Microcosm Computer Resources http://www.mcr.com matth@mcr.com 415-333-1062