Bugtraq mailing list archives
Re: APC web/snmp/telnet management card dos
From: altomo () NUDEHACKERS COM
Date: Mon, 26 Feb 2001 23:58:46 -0000
Not concerned with outside attacks as yes there is a firewall but what about internal attackers? There are 2 ghetto style work arounds of course. 1. leave web or snmp open to managed this product 2. put on a private network and have a linux box infront ssh to linux box then telnet to apc. my point was that APC should not depend on other security to secure their product. Derek Kwan <dkwan () KWAN ca> said:
IMHO.. Well APC's responds is kinda true. Why would you want to have the telnet port to your UPS open wide up to the world. These UPS IP's should sit behind your DMZ and treat them as a internal servers. Or atleast they should be on a private subnet, and Admin have to logon to a box and hop over to the UPS private subnet. Just my 2 cents. |/ _____ |/ *************************************************** "@'/ , . `@" This e-mail is send with 100% recyclable electrons. /_| ___/ |__ *************************************************** ___U_/ Derek () KWAN ca On Mon, 26 Feb 2001 altomo () NUDEHACKERS COM wrote:altomo () nudehackers com APC web/snmp management card Some APC products such as the symetra offer the option of adding a
management
card to allow an admin the ablilty to setup monitoring and notification.
The
card is accessable by snmp, web interface, and telnet. Itseems that only
one
telnet connection is allowed at a time.(problem 1). The telnet sesssion
is
authenticated by a user/password method, if the incorrect combination is entered 3 times no connections are allowed for the defined lockout time.
Min.
1 minute, max 10 minutes. (problem 2) Problem 1- Since only one connection is allowed to the telnet port an admin could
be
kept from connecting. Easy to reproduce. Problem 2- Lock out period. Lock out periods are a good thing, I really do like them. But when no one can connect its a bad thing. Since the
lockout
period can not be set to 0 an attacker could take advantage of this by
sending
3 incorrect login attempts to the unit and repeat every 60 secs using the minimal lockout time. Even if the admin has lockout set to 10 minutes it
will
keep repeating and work when it actually is enabled again. both of these are easy to reproduce. problem 1 - cat /dev/zero | nc ip-here 23 (ya ya dirty) problem 2 - attempt login 3 times, or run script attached. -Contacting APC - Contacted APC via email and informed they of what had been found and
asked if
this was going to be addressed in the future. The response received back
was:
"At this time the security on the web card is at its highest level. The
only
other suggestion is to make changes on the firewall." Well, not really what I wanted to hear but hey why not. I responded
inorder
to try one more time and received the same respone back. altomo () nudehackers com
--
Current thread:
- APC web/snmp/telnet management card dos altomo (Feb 26)
- Re: APC web/snmp/telnet management card dos Derek Kwan (Feb 27)
- Re: APC web/snmp/telnet management card dos altomo (Feb 27)
- Re: APC web/snmp/telnet management card dos Derek Kwan (Feb 27)