APC web/snmp/telnet management card dos

[altomo () NUDEHACKERS COM]

This is a multi-part message in MIME format.


altomo () nudehackers com

APC web/snmp management card


Some APC products such as the symetra offer the option of adding a management
card to allow an admin the ablilty to setup monitoring and notification.  The
card is accessable by snmp, web interface, and telnet.  Itseems that only one
telnet connection is allowed at a time.(problem 1).  The telnet sesssion is
authenticated by a user/password method, if the incorrect combination is
entered 3 times no connections are allowed for the defined lockout time. Min.
1 minute, max 10 minutes. (problem 2)


Problem 1-

  Since only one connection is allowed to the telnet port an admin could be
kept from connecting.  Easy to reproduce.



Problem 2- Lock out period. Lock out periods are a good thing, I really do
like them.  But when no one can connect its a bad thing.  Since the lockout
period can not be set to 0 an attacker could take advantage of this by sending
3 incorrect login attempts to the unit and repeat every 60 secs using the
minimal lockout time.  Even if the admin has lockout set to 10 minutes it will
keep repeating and work when it actually is enabled again.

both of these are easy to reproduce.

problem 1 - cat /dev/zero | nc ip-here 23  (ya ya dirty)
problem 2 - attempt login 3 times, or run script attached.


-Contacting APC -
Contacted APC via email and informed they of what had been found and asked if
this was going to be addressed in the future.  The response received back was:

 "At this time the security on the web card is at its highest level. The only
  other suggestion is to make changes on the firewall."

Well, not really what I wanted to hear but hey why not.  I responded inorder
to try one more time and received the same respone back.


altomo () nudehackers com

Attachment: apcdos.pl
Description: