Version: Confirmed on Firmware 4.2.09f, 4.4.061f (latest)
Author: Josh Zlatin-Amishav
Date: August 10, 2005
Background:
The Winterm 1125SE is a thin client which runs the Wyse Blazer operating
system. More information about the Wyse Blazer OS can be found here:
http://support1.wyse.com/1000Series/1Series_Security.htm)
a quote from the above URL:
The Wyse Blazer OS has a closed source and limited distribution (of the
source code). Attempts to expose vulnerabilities have been non-existent.
In addition, the products image design and stateless nature make this
product the most secure Winterm product available.
...
Proprietary OS The Wyse Blazer product operates on a non-published,
proprietary OS. This closed architecture makes the product far more
secure than open source devices.
Issue:
It is possible to remotely crash the Winterm 1125SE terminal by sending
a malformed packet with ip option len field set to zero.
PoC:
The exploit is identical to BID 7175. See the following URL for exploit
code:
http://www.securityfocus.com/archive/1/316043
Product: Wyse Winterm 1125SE
http://www.wyse.com/products/winterm/1125se/index.htm)
Version: Confirmed on Firmware 4.2.09f, 4.4.061f (latest)
Author: Josh Zlatin-Amishav
Date: August 10, 2005
Background:
The Winterm 1125SE is a thin client which runs the Wyse Blazer operating
system. More information about the Wyse Blazer OS can be found here:
http://support1.wyse.com/1000Series/1Series_Security.htm)
a quote from the above URL:
The Wyse Blazer OS has a closed source and limited distribution (of the
source code). Attempts to expose vulnerabilities have been non-existent.
In addition, the products image design and stateless nature make this
product the most secure Winterm product available.
...
Proprietary OS The Wyse Blazer product operates on a non-published,
proprietary OS. This closed architecture makes the product far more
secure than open source devices.
Issue:
It is possible to remotely crash the Winterm 1125SE terminal by sending
a malformed packet with ip option len field set to zero.
PoC:
The exploit is identical to BID 7175. See the following URL for exploit
code:
http://www.securityfocus.com/archive/1/316043
--
- Josh
[ reply ]