Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: APC web/snmp/telnet management card dos

From: Derek Kwan <dkwan () KWAN CA>
Date: Mon, 26 Feb 2001 17:37:19 -0500
IMHO.. Well APC's responds is kinda true. Why would you want to have the
telnet port to your UPS open wide up to the world. These UPS IP's should
sit behind your DMZ and treat them as a internal servers. Or atleast they
should be on a private subnet, and Admin have to logon to a box and hop
over to the UPS private subnet.

Just my 2 cents.

 \|/ _____ \|/    ***************************************************
 "@'/ , . \`@"    This e-mail is send with 100% recyclable electrons.
 /_| \___/ |__\   ***************************************************
    \___U_/       Derek () KWAN ca


On Mon, 26 Feb 2001 altomo () NUDEHACKERS COM wrote:



altomo () nudehackers com

APC web/snmp management card


Some APC products such as the symetra offer the option of adding a management
card to allow an admin the ablilty to setup monitoring and notification.  The
card is accessable by snmp, web interface, and telnet.  Itseems that only one
telnet connection is allowed at a time.(problem 1).  The telnet sesssion is
authenticated by a user/password method, if the incorrect combination is
entered 3 times no connections are allowed for the defined lockout time. Min.
1 minute, max 10 minutes. (problem 2)


Problem 1-

  Since only one connection is allowed to the telnet port an admin could be
kept from connecting.  Easy to reproduce.



Problem 2- Lock out period. Lock out periods are a good thing, I really do
like them.  But when no one can connect its a bad thing.  Since the lockout
period can not be set to 0 an attacker could take advantage of this by sending
3 incorrect login attempts to the unit and repeat every 60 secs using the
minimal lockout time.  Even if the admin has lockout set to 10 minutes it will
keep repeating and work when it actually is enabled again.

both of these are easy to reproduce.

problem 1 - cat /dev/zero | nc ip-here 23  (ya ya dirty)
problem 2 - attempt login 3 times, or run script attached.


-Contacting APC -
Contacted APC via email and informed they of what had been found and asked if
this was going to be addressed in the future.  The response received back was:

 "At this time the security on the web card is at its highest level. The only
  other suggestion is to make changes on the firewall."

Well, not really what I wanted to hear but hey why not.  I responded inorder
to try one more time and received the same respone back.


altomo () nudehackers com
Previous By Date Next
Previous By Thread Next

Current thread: