Xyplex terminal login problems

Description:Apparently you can get into some Xyplex terminals by entering ^Z or '?' at the login prompt.
Author:Aleksandr Pilosov <apilos01@UTOPIA.POLY.EDU>
Compromise:Obtain unauthorized access to Xyplex terminals.
Vulnerable Systems:Xyplex terminals
Date:1 December 1997
Notes:Another problem with these terminals, this time with regard to their interaction with scripts is in the addendum.

Date: Wed, 26 Nov 1997 21:30:16 -0500
From: Aleksandr Pilosov <apilos01@UTOPIA.POLY.EDU>
Subject: Xyplex terminal server bug

As long as we are talking about login bugs on various hardware, here's one
I've found about 1.5 years ago (Hi, Jim and Andrew :)

If terminal server configured for RADIUS authentication,PPP/CHAP and
AutoProtocolDetect, typing Ctrl-Z in username> prompt will drop you
directly to command line, as if you logged in correctly.
This will not work to get past 'enable' password, though.

I am not sure if Xyplex fixed that bug yet, but at least the following
version of software is affected:
TS/720 V6.0.1S1 Rom 4C0000 HW 00.02.01 Lat Protocol V5.2

Hardware Type:       76
Hardware Revision:   00.02.01
Midplane Type:       SwitchPlane
Rom Revision:        4C0000
Software Type:       Terminal Server Level 4
Software Revision:   V6.0.1S1
Protocol Type:       LAT, TELNET, RLOGIN, TN3270, SNMP, PPP
Date: Mon, 1 Dec 1997 21:50:18 -0800
From: "Matthew G. Harrigan" <matth@MCR.COM>
Subject: Re: Xyplex terminal server bug

At 09:30 PM 11/26/97 -0500, Aleksandr Pilosov wrote:

>I am not sure if Xyplex fixed that bug yet .. [snip]

The ctl-z concept can also be applied by simply entering a "?" at the
Likewise, I also found this out some time ago, but did not remember it
until I saw your posting. From what I remember, two things happen.
1. The logged in user information is set to "???", which leads me to
believe that with some creativity
and/or source code, unauthorized (resource challenged) users may be able to
force an administrative shell.
2. You are dropped into the command shell in which you are able to utilize
all the client programs
(i.e. rsh, telnet, etc..).

I'm not sure if it is necessarily tied into radius or not.
We do not have a xyplex term server in the lab, so if anyone has one they
experiment with, please post the results to this list.


Matthew G. Harrigan
CIO, Microcosm Computer Resources

Date: Tue, 2 Dec 1997 16:24:51 -0800
From: "Matthew G. Harrigan" 
Subject: more xyplex commentary

comments from Michael Johnson, an experienced (frustrated :) ) xyplex admin:

This sounds like the problem that we faced with the Xyplex Terminal Servers
and people getting in with "guest" access to our modempool.

Our problem:

Our guest access dropped people to a prompt and let them go anywhere in our
domain, but no where else.  This was so people could access our library and
such.  We used the script services of the Xyplex Terminal server to allow
this "guest" access and to setup their permissions.

About a month ago, we officially turned off guest access, but people were
still getting in by putting a "/" anywhere in the login name.


This is what was happening:
The terminal server would attempt to get a script from the script server
that you have defined (if you are using scripts).  When an attempt is made
to get a script, it first tries (using the above example)
"/tftpboot/name/ssn/login", if that doesn't work it backs off one directory
(and does this incorrectly in my opinion).  Instead of trying
/tftpboot/login (taking out the login name of "name/ssn" it only backs off
to /tftpboot/name/login).  After this failure it assumes a
misconfiguration, gives a script server timeout(?) error and gives the
person default access.

Note that this is only if you have

If instead you use
the same thing happens only the user does not get default access, instead
they are logged out.

I see this as a bug in the xyplex code where it assumes the directory and
file to tftp is part of the login name, but doesn't correctly "back-off"
using the full login name (only up to the "/") and trying again.

It does this so that you can setup special logins that auto-telnet to
certain hosts or somesuch.  Its a great feature, but when it fails it does
not correctly retry like it does, its a menace.

In order, it searches for a login script like this:

1. searches for "/tftpboot/loginname/login"
2. removes the loginname portion of "/loginname"
3. searches for "/tftpboot/login"  <-- which exists and runs correctly for us.

however, if you put a / in the login name it does this:

1. searches for "/tftpboot/login/name/login"
2. removes only "/name" not "/login/name" like it should
3. searches for "/tftpboot/login/login"
4. dies with script error and if not "required" gives a person default access.

Wierd huh?

I'm not saying this will fix your problem, but perhaps if you try
"REQUIRED"ing whatever option you have turned on instead of just
"ENABLED"ing it, this may fix your problem.

Are you requiring radius authentication or just enabling it?  There is a
BIG difference.  If radius is enabled and a person enters an invalid
login/password sequence and radius fails authentication then it works
properly, but if radius just fails with another type of error and since
radius is only enabled, not required, you get default access (whatever that
may be?).

Anyway, its an idea.

Matthew G. Harrigan
CEO, Microcosm Computer Resources
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: