Re: APC web/snmp/telnet management card dos

[altomo () NUDEHACKERS COM]

Not concerned with outside attacks as yes there is a firewall but what about
internal attackers?  There are 2 ghetto style work arounds of course.
1. leave web or snmp open to managed this product
2. put on a private network and have a linux box infront ssh to linux box
then telnet to apc.

my point was that APC should not depend on other security to secure their
product.

Derek Kwan <dkwan () KWAN ca> said:

> IMHO.. Well APC's responds is kinda true. Why would you want to have the
> telnet port to your UPS open wide up to the world. These UPS IP's should
> sit behind your DMZ and treat them as a internal servers. Or atleast they
> should be on a private subnet, and Admin have to logon to a box and hop
> over to the UPS private subnet.
>
> Just my 2 cents.
>
>  |/ _____ |/    ***************************************************
>  "@'/ , . `@"    This e-mail is send with 100% recyclable electrons.
>  /_| ___/ |__   ***************************************************
>     ___U_/       Derek () KWAN ca
>
>
> On Mon, 26 Feb 2001 altomo () NUDEHACKERS COM wrote:
>
> > altomo () nudehackers com
> >
> > APC web/snmp management card
> >
> >
> > Some APC products such as the symetra offer the option of adding a
management
> > card to allow an admin the ablilty to setup monitoring and notification.
The
> > card is accessable by snmp, web interface, and telnet.  Itseems that only
one
> > telnet connection is allowed at a time.(problem 1).  The telnet sesssion
is
> > authenticated by a user/password method, if the incorrect combination is
> > entered 3 times no connections are allowed for the defined lockout time.
Min.
> > 1 minute, max 10 minutes. (problem 2)
> >
> >
> > Problem 1-
> >
> >   Since only one connection is allowed to the telnet port an admin could
be
> > kept from connecting.  Easy to reproduce.
> >
> >
> >
> > Problem 2- Lock out period. Lock out periods are a good thing, I really do
> > like them.  But when no one can connect its a bad thing.  Since the
lockout
> > period can not be set to 0 an attacker could take advantage of this by
sending
> > 3 incorrect login attempts to the unit and repeat every 60 secs using the
> > minimal lockout time.  Even if the admin has lockout set to 10 minutes it
will
> > keep repeating and work when it actually is enabled again.
> >
> > both of these are easy to reproduce.
> >
> > problem 1 - cat /dev/zero | nc ip-here 23  (ya ya dirty)
> > problem 2 - attempt login 3 times, or run script attached.
> >
> >
> > -Contacting APC -
> > Contacted APC via email and informed they of what had been found and
asked if
> > this was going to be addressed in the future.  The response received back
was:
> >  "At this time the security on the web card is at its highest level. The
only
> >   other suggestion is to make changes on the firewall."
> >
> > Well, not really what I wanted to hear but hey why not.  I responded
inorder
> > to try one more time and received the same respone back.
> >
> >
> > altomo () nudehackers com



--