发布时间 :2005-03-31 00:00:00
修订时间 :2017-07-10 21:32:28

[原文]Bay Technical Associates RPC-3 Telnet Host 3.05 allows remote attackers to bypass authentication by pressing the escape and enter keys at the username prompt.

[CNNVD]Bay Technical Associates RPC3 Telnet访问认证绕过漏洞(CNNVD-200503-164)

        Bay Technical Associates RPC3 Telnet是一种用于电源设备管理的远程服务。
        RPC3 Telnet服务处理用户认证时存在设计错误,远程攻击者可能利用此漏洞绕过访问认证完全控制设备。
        在RPC3 Telnet服务的登录提示符下,用户只要输入"[escape key] [enter]"序列即可中断认证过程直接获取对设备的访问。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20050331 Bay Technical Associates telnet server logon bypass
(UNKNOWN)  XF  rpc3-logon-bypass-authentication(19921)

- 漏洞信息

Bay Technical Associates RPC3 Telnet访问认证绕过漏洞
高危 设计错误
2005-03-31 00:00:00 2005-10-20 00:00:00
        Bay Technical Associates RPC3 Telnet是一种用于电源设备管理的远程服务。
        RPC3 Telnet服务处理用户认证时存在设计错误,远程攻击者可能利用此漏洞绕过访问认证完全控制设备。
        在RPC3 Telnet服务的登录提示符下,用户只要输入"[escape key] [enter]"序列即可中断认证过程直接获取对设备的访问。

- 公告与补丁


- 漏洞信息 (F37204)

dsa-707.txt (PacketStormID:F37204)
2005-04-19 00:00:00

Debian Security Advisory 707-1. Multiple issues with MySQL, including: incorrect privilege handling (users get illegitimate access to databases named similarly to those they have legitimate access to), arbitrary command execution for any user that has been granted INSERT and DELETE rights, and race conditions due to predictable tempfile naming schemes.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 707-1                                        Martin Schulze
April 13th, 2005              
- --------------------------------------------------------------------------

Package        : mysql
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2004-0957
BugTraq ID     : 12781
Debian Bug     : 285276 296674 300158

Several vulnerabilities have been discovered in MySQL, a popular
database.  The Common Vulnerabilities and Exposures project identifies
the following problems:


    Sergei Golubchik discovered a problem in the access handling for
    similar named databases.  If a user is granted privileges to a
    database with a name containing an underscore ("_"), the user also
    gains privileges to other databases with similar names.


    Stefano Di Paola discovered that MySQL allows remote
    authenticated users with INSERT and DELETE privileges to execute
    arbitrary code by using CREATE FUNCTION to access libc calls.


    Stefano Di Paola discovered that MySQL allows remote authenticated
    users with INSERT and DELETE privileges to bypass library path
    restrictions and execute arbitrary libraries by using INSERT INTO
    to modify the mysql.func table.


   Stefano Di Paola discovered that MySQL uses predictable file names
   when creating temporary tables, which allows local users with
   CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via
   a symlink attack.

For the stable distribution (woody) these problems have been fixed in
version 3.23.49-8.11.

For the unstable distribution (sid) these problems have been fixed in
version 4.0.24-5 of mysql-dfsg and in version 4.1.10a-6 of

We recommend that you upgrade your mysql packages.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:
      Size/MD5 checksum:      877 df2d85bd322eb6d42287127aa911b07e
      Size/MD5 checksum:    84421 13e0ec8441a97408ed4d0ab47981a333
      Size/MD5 checksum: 11861035 a2820d81997779a9fdf1f4b3c321564a

  Architecture independent components:
      Size/MD5 checksum:    18094 578cfd9bbf7930981efc682c8e51b549
      Size/MD5 checksum:  1962992 a4cacebaadf9d5988da0ed1a336b48e6

  Alpha architecture:
      Size/MD5 checksum:   279398 3971a1aa23bde9baefeb5784ef0ade3a
      Size/MD5 checksum:   780772 97e71d14a7a1d4dd21ed5deab8dd545e
      Size/MD5 checksum:   164748 7162245a011bed2fe08d0de4f95cc4e1
      Size/MD5 checksum:  3636734 66c25c69c3579a9d69cd5b258ff5aaee

  ARM architecture:
      Size/MD5 checksum:   239882 4472b428cbb26a752ac0e81b051cf628
      Size/MD5 checksum:   636536 ca50af2c717731c69542d5724a47fdf6
      Size/MD5 checksum:   125156 e72c65ef2ec3bb5d2a4a98263ccadb2b
      Size/MD5 checksum:  2808394 49c9bfb44afb893144171137b98eed12

  Intel IA-32 architecture:
      Size/MD5 checksum:   236058 a166e82ba1b7444bf86273f6e2d06022
      Size/MD5 checksum:   578064 a95797aa335d8f09ec119c553a766b08
      Size/MD5 checksum:   123672 3bd8648dd73e9f8f435029907d7d8a32
      Size/MD5 checksum:  2802056 dd4a223b162e6e13e0517220cc756fd3

  Intel IA-64 architecture:
      Size/MD5 checksum:   316690 8c537c85c8485fc053b05aa7647e9c95
      Size/MD5 checksum:   850412 9b580b32697b20bd420682e2da02b55a
      Size/MD5 checksum:   174958 4529edb2a8ed5275b858ddda14cafc9c
      Size/MD5 checksum:  4001168 dffcaa4ea670a963c2e1c87f86ca790b

  HP Precision architecture:
      Size/MD5 checksum:   282304 3192982a2bf0d1f4b4c898ffa45ee977
      Size/MD5 checksum:   745680 1746b48072bcc93c4588d1e6f0c12b44
      Size/MD5 checksum:   141770 b497d2bdd7032816a696985a65e32174
      Size/MD5 checksum:  3516268 216cbce37769115fe9d393b9193f4ad5

  Motorola 680x0 architecture:
      Size/MD5 checksum:   229238 0c5ae0cdfb69ee2e8eaff52119bbfdf5
      Size/MD5 checksum:   559260 11b3be08f6cd4c916a56349908e73bc7
      Size/MD5 checksum:   119552 291df2ccd20afd3ba5b426bc232e1681
      Size/MD5 checksum:  2648664 32253029744281d67cc32516d4415a7b

  Big endian MIPS architecture:
      Size/MD5 checksum:   252512 9f0d13488d1ef1d46b1cf954247c5d73
      Size/MD5 checksum:   690782 65245ff95983c58c49e5675e61ee3629
      Size/MD5 checksum:   135060 5382f4e78411fcb8364df226d27b6480
      Size/MD5 checksum:  2850534 1f6cbd34b484d6f57259c9c10d49c643

  Little endian MIPS architecture:
      Size/MD5 checksum:   252176 fe3be8acd75ccb1206d32b66f4a7f696
      Size/MD5 checksum:   690178 9bc96dee918e627234f5aba08e8ed174
      Size/MD5 checksum:   135402 219d4706babc06c8995c8674687bdd3b
      Size/MD5 checksum:  2840476 f9feb1a4254acb12cd974fe7abdd7430

  PowerPC architecture:
      Size/MD5 checksum:   249246 d2433c23f8a83fbb7cfabaa7f1996ba0
      Size/MD5 checksum:   654366 fc5f0eb155c521a8a2f2a621c58026ef
      Size/MD5 checksum:   130604 06d0a734db8a480d31acfff1a032a1b2
      Size/MD5 checksum:  2825402 7cb05dadadbdf7b2aeaebff9b1c57bdd

  IBM S/390 architecture:
      Size/MD5 checksum:   251522 0b0425e22e503cca3044457d1afb96a0
      Size/MD5 checksum:   609212 f2e48ad9b41cd1aed57b0cf06a350c51
      Size/MD5 checksum:   127578 e716610259ca1a56a5cc709bb0f39d8f
      Size/MD5 checksum:  2692988 dc5da2e28c240fc7cd5d7a57038324c4

  Sun Sparc architecture:
      Size/MD5 checksum:   242480 7fdfd764be3bc3eaccb2370b6d55f501
      Size/MD5 checksum:   617570 900be3d64a19cc29f7e20449a3cb95e0
      Size/MD5 checksum:   131548 890954cb23d89714d7645fa60587854c
      Size/MD5 checksum:  2942040 5f234f648e9d269ca3df7167536bd2ae

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.0 (GNU/Linux)



- 漏洞信息

Bay Tech RPC-3 Telnet Host Authentication Bypass
Remote / Network Access Authentication Management
Loss of Integrity Solution Unknown

- 漏洞描述

- 时间线

2005-03-31 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Bay Technical Associates RPC3 Telnet Daemon Authentication Bypass Vulnerability
Design Error 12955
Yes No
2005-03-31 12:00:00 2009-07-12 11:56:00
Discovery is credited to nolimit bugtraq <>.

- 受影响的程序版本

Bay Technical Associates RPC3 Telnet F 3.05
Bay Technical Associates RPC3 Telnet F5.10.4

- 不受影响的程序版本

Bay Technical Associates RPC3 Telnet F5.10.4

- 漏洞讨论

It is reported that the telnet daemon used by the device is affected by an authentication bypass vulnerability.

A successful attack can allow an attacker to carry out a denial of service attack against a machine using the power supply by shutting down the device.

RPC3 Telnet version F 3.05 is reported vulnerable. It is believed that the telnet daemon is shipped with most RPC-3 devices.

It is reported that RPC3 Telnet Revision F5.10.4 is not affected by this issue.

The affected packages will be updated when more information becomes available.

- 漏洞利用

An exploit is not required.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考