Thoughts about BSD-derived Telnet Daemon and IronPort

Since end of December 2011 a classical buffer overflow was detected for BSD-derived Telnet Daemons, some people were curious if the IronPort/Cisco telnetd will be prone to the same vulnerability. Since I knew that the IronPort operating system (AsyncOS) is somehow BSD based the chance would be great. hdmoore from Rapid7 (to which Metasploit belongs) acknowledged that the telnetd is a stock FreeBSD telnetd and the exploit for the BSD telnetd of Metasploit is working on IronPort's AsyncOS. But since this isn't a really security hole (every common-sense IronPort administrator should have disabled telnet, shouldn't he?), this exploit is a good way to explore the world of AsyncOS until IronPort/Cisco will fix it. I tried the exploit with Metasploit and it works smooth out of the box. And I was astonished that AsyncOS is really a stock FreeBSD system with some special adaptions for mail and security (I only write of the ESA - email security appliance, but I think this will lalso work for the WSA - web security appliance). But I didn't manage to setup a user with root shell (e.g. with ssh logins), the IronPort guys have done a good job with hardening the OS. But maybe my FreeBSD skill are to limited to get it and/or I am only a poor hacker.