In the interest of full disclosure, this is final notification regarding an authentication bypass bug for the VOTER Remote Console running on the telnet service..
The specific method of authentication bypass along with other specific data has been scrubbed:
root@pentest:~# telnet XX.XX.XX.XX
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
VOTER System Serial # XXXX Remote Console Access
Login: *<redacted>*
Logged in successfully, now joining console session...
Select the following values to View/Modify:
1 - Serial # (XXXX) (which is MAC ADDR 00:XX:XX:XX:XX:XX)
2 - VOTER Server Address (FQDN) (XX.XX.XX.XX)
3 - VOTER Server Port (667), 4 - Local Port (Override) (0)
5 - Client Password (XXXX), 6 - Host Password (XXXX)
7 - Tx Buffer Length (3000)
8 - GPS Data Protocol (0=NMEA, 1=TSIP) (1)
9 - GPS Serial Polarity (0=Non-Inverted, 1=Inverted) (0)
10 - GPS PPS Polarity (0=Non-Inverted, 1=Inverted, 2=NONE) (0)
11 - GPS Baud Rate (9600)
12 - External CTCSS (0=Ignore, 1=Non-Inverted, 2=Inverted) (1)
13 - COR Type (0=Normal, 1=IGNORE COR, 2=No Receiver) (0)
14 - Debug Level (10)
15 - Alt. VOTER Server Address (FQDN) ()
16 - Alt. VOTER Server Port (Override) (0)
17 - DSP/BEW Mode NOT SUPPORTED
18 - "Duplex Mode 3" (0=DISABLED, 1-255 Hang Time) (1/10 secs) (0)
19 - Simulcast Launch Delay (0) (approx 200 ns, 5 = 1us, > 0 to ENA SC)
97 - RX Level, 98 - Status, 99 - Save Values to EEPROM
i - IP Parameters menu, o - Offline Mode Parameters menu
q - Disconnect Remote Console Session, r - reboot system, d - diagnostics
Enter Selection (1-27,97-99,r,q,d) :
···
__
Isn't this 2016? Why are we still using the telnet service? Any interest in patching this?
That's not full disclosure
Post it, this is very interesting. I want to test this against RTCM units
which are evolved from the voter.
I'd hope most of these devices are behind firewalls or on VPN's. The voters
are not Linux or another OS, it's a 16 bit microprocessor running embedded code.
Actually I may have one on the internet unprotected, need to check the router.
Thanks and 73's
···
On 1/12/16 11:30 AM, Travis Giedratis wrote:
In the interest of full disclosure, this is final notification regarding an
authentication bypass bug for the VOTER Remote Console running on the
telnet service..
The specific method of authentication bypass along with other specific data
has been scrubbed:
Thanks Bryan. I am already communicating with him privately.
Jim
···
________________________________________
From: app_rpt-users-bounces@ohnosec.org <app_rpt-users-bounces@ohnosec.org> on behalf of Bryan Fields <Bryan@bryanfields.net>
Sent: Tuesday, January 12, 2016 9:47 AM
To: app_rpt-users@ohnosec.org
Subject: Re: [App_rpt-users] Voter Remote Console - Authentication Bypass Bug
On 1/12/16 11:30 AM, Travis Giedratis wrote:
In the interest of full disclosure, this is final notification regarding an
authentication bypass bug for the VOTER Remote Console running on the
telnet service..
The specific method of authentication bypass along with other specific data
has been scrubbed:
That's not full disclosure
Post it, this is very interesting. I want to test this against RTCM units
which are evolved from the voter.
I'd hope most of these devices are behind firewalls or on VPN's. The voters
are not Linux or another OS, it's a 16 bit microprocessor running embedded code.
Actually I may have one on the internet unprotected, need to check the router.
To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
