Index of /cs-probs
Name Last modified Size Description
![[DIR]](/icons/back.gif)
Parent Directory -
![[TXT]](/icons/text.gif)
acs-ssl.retrieval.txt 27-Jun-2006 12:48 8.3K
acs.cyclades.ssldump..> 27-Jun-2006 13:09 8.3K
avocent-sshbug.txt 09-Sep-2005 13:11 1.4K
mrv-sshbug.txt 18-Jul-2005 21:32 7.4K
rari-problems.txt 08-Jul-2005 10:08 2.9K
scs.nmap.txt 27-Jun-2006 12:49 507
slc-problems.txt 08-Jul-2005 10:28 6.8K
Security bugs on console servers
All those bugs were discovered during a research in 2005 (German) on console servers.
Most of them are fixed or supposedly fixed by now. Upgrade your firmware.
acs-ssl.retrieval.txt: pulling RSA PRIVATE KEY from a Cyclades ACS *)
acs.cyclades.ssldump.txt: using this SSL key to sniff HTTPS session (watch out for line containing the
username/password pair)
avocent-sshbug.txt: circumventing port-based user ACL's on an Avocent CCM
mrv-sshbug.txt: circumventing port-based user ACL's on an MRV In-Reach by SSH public key authentication
rari-problems.txt: 1) no password for uid sshd and dominion, 2) world readable /etc/shadow, 3) world writeable /bin/busybox *)
scs.nmap.txt: not an immediate problem, but what has nmap to do on a console server?
slc-problems.txt: Lantronix' SLC suffered 1) from the fact that SSH private keys were under doc-root of web server (and mini_httpd doesn't care about ACL's), 2) logfiles are publicy viewable since they are under doc-root, too *)
Issues marked w/ *) means: only n/w access needed, no credentials.