Telnet to test

  • Thread starter hugh jack - faculty
  • Start date

Thread Starter

hugh jack - faculty


I have my recent version of the LPC -Linux Programmable Controller (formerly FreeLC) ready for testing. You can use telnet to connec to it.
I am looking for feedback or suggestions as the design is starting to solidify nicely. The instructions are below. You can download it from if you want to install it and play with it on your own machine. Please note that the Java and X-windows programs are broken, but will be fixed in the near future.

[email protected]

1. Open another window and type in 'telnet localhost 1237'. This will connect to the LPC. Notice that 'localhost' is the default name for the same machine, but this could also be your machine name or IP number if you have one, or the loopback IP number The last number is
the port number. You will notice this in the '<io>' section of the 'test.plc' file.

2. You can now login to the LPC. Enter 'USER Huffin', you should get an acknowledgement. Then enter 'PASS Puffin', you should be given another
acknowledgement. If access was not granted you must start again from the 'USER Huffin' name. If you can't login, modify the 'passwd' file to
delete the encrypted password for 'Huffin' between the ':' colons, then use 'PASS' for the password. (Note: change this later, or else you will have a security hole.)

3. Use 'HELP' to get a list of commands.

4. Type 'VERSION' to get the version of the LPC. You can also use 'STATUS' to get the LPC state.

5. Use 'IDLE' to put the LPC in idle mode, and 'RUN' to put it back into run mode. If it is not in run mode, then the programs will not be

6. You can download the contents of the LPC memory by typing 'GET'. Look through to see the values in memory, and the program. (Note: the '<io>' is not working fully yet for 'GET' operations.) Each line of the ladder logic program starts and ends with 'SOR' and 'EOR'. The XIO instruction is a normally closed input, and XIC is a normally open. In this case the value of 'start' is false, so the add operation will not occur, so the value of 'C' should be zero.

7. Upload a memory change using the following steps. The 'PUT' command sets the LPC to receive XML files. The following XML code will set the
value of '1' for that start variable. This should make the add operation occur.
&lt;set name="start" value="1"/>

8. Use 'GET' to examine the contents of the LPC memory. Now that start is set, the add operation should occur, and the value of 'C' should now
be equal to A+B.

9. Try changing other memory locations this way.

10. When done use 'DISCONNECT' to close the connection. You can reconnect using 'USER' and 'PASS' again.

11. Use 'QUIT' to restart the LPC. The LPC will sleep for 1 minute while old socket connections die, and then restart with the default file.

12. Feel free to play - just use 'QUIT' when you are done to restore it to the default state.

LinuxPLC mailing list
[email protected]
> You need to connect with 'telnet 1237'

Before you open something like this up to the world, probably ought to do a little testing. Do things like enter commands with %s in them (do
you read BugTraq?) or send a name or passwd that's 1028 characters, things like that. The critical part is that it doesn't create any
internal buffer overflows, resulting in segfaults, resulting in hacked systems.

Blue skies... Todd
Most traditional Pee-Cee user groups, I've noticed, function mainly as
commiseration societies for people who've bought lousy hardware, are
struggling and wasting time trying to deal with it, and want to exchange
coping-strategy tips with others in the same boat. -- Rick Moen

LinuxPLC mailing list
[email protected]

I have taken special care to prevent buffer overflow security holes with limited buffer sizes. The problem here that I will fix by tomorrow is probably caused by somebody not ending a session properly (just by killing a telnet window) and me not checking to see when a connection is terminated (my stupid mistake). This is one of the problems that I was hoping to uncover. If you want, download the code and try it yourself on your machine. I am looking for security and other problems.

BTW, if you are security savy, maybe you would be interested in helping with the communications protocols, especially the login procedures, etc.


LinuxPLC mailing list
[email protected]
jackh wrote:

> BTW, if you are security savy, maybe you would be interested in helping
> with the communications protocols, especially the login procedures, etc.

I'm very interested in security, but I'm not a very good coder (I wouldn't even put myself in the same school as you guys, much less the same class). I would love to help where possible though.

LinuxPLC mailing list
[email protected]

I discovered and fixed the connection bug. Essentially, when a telnet session was not ended correctly - with a 'QUIT' or 'DISCONNECT' command
- the software did not shut the connection down. In fixing this I found that older kernels 2.0.x seem to have a bug with the poll() command that
prevents them from detecting hangups. So the short of it is that I have the revised software available for download ( but the server I was going to use for the telnet logins won't do the job. I will set up another
machine this weekend to host the telnet logins. Of course you could always download it to your machine and try it out. The basic LPC server
doesn't require any graphics.

Sorry for any inconvenience. (But would Microsoft ever fix a bug that fast? Their developers must be paid too much!)


LinuxPLC mailing list
[email protected]