[19407] in bugtraq
Re: APC web/snmp/telnet management card dos
daemon@ATHENA.MIT.EDU (altomo@NUDEHACKERS.COM)
Tue Feb 27 19:26:07 2001
Message-ID: <200102262358.f1QNwkB04020@blackwidow.adisfwb.com>
Date: Mon, 26 Feb 2001 23:58:46 -0000
Reply-To: altomo@NUDEHACKERS.COM
From: altomo@NUDEHACKERS.COM
X-To: Derek Kwan <dkwan@KWAN.ca>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10102261734480.15070-100000@KWAN.ca>
Not concerned with outside attacks as yes there is a firewall but what about
internal attackers? There are 2 ghetto style work arounds of course.
1. leave web or snmp open to managed this product
2. put on a private network and have a linux box infront ssh to linux box
then telnet to apc.
my point was that APC should not depend on other security to secure their
product.
Derek Kwan <dkwan@KWAN.ca> said:
>
> IMHO.. Well APC's responds is kinda true. Why would you want to have the
> telnet port to your UPS open wide up to the world. These UPS IP's should
> sit behind your DMZ and treat them as a internal servers. Or atleast they
> should be on a private subnet, and Admin have to logon to a box and hop
> over to the UPS private subnet.
>
> Just my 2 cents.
>
> |/ _____ |/ ***************************************************
> "@'/ , . `@" This e-mail is send with 100% recyclable electrons.
> /_| ___/ |__ ***************************************************
> ___U_/ Derek@KWAN.ca
>
>
> On Mon, 26 Feb 2001 altomo@NUDEHACKERS.COM wrote:
>
> >
> > altomo@nudehackers.com
> >
> > APC web/snmp management card
> >
> >
> > Some APC products such as the symetra offer the option of adding a
management
> > card to allow an admin the ablilty to setup monitoring and notification.
The
> > card is accessable by snmp, web interface, and telnet. Itseems that only
one
> > telnet connection is allowed at a time.(problem 1). The telnet sesssion
is
> > authenticated by a user/password method, if the incorrect combination is
> > entered 3 times no connections are allowed for the defined lockout time.
Min.
> > 1 minute, max 10 minutes. (problem 2)
> >
> >
> > Problem 1-
> >
> > Since only one connection is allowed to the telnet port an admin could
be
> > kept from connecting. Easy to reproduce.
> >
> >
> >
> > Problem 2- Lock out period. Lock out periods are a good thing, I really do
> > like them. But when no one can connect its a bad thing. Since the
lockout
> > period can not be set to 0 an attacker could take advantage of this by
sending
> > 3 incorrect login attempts to the unit and repeat every 60 secs using the
> > minimal lockout time. Even if the admin has lockout set to 10 minutes it
will
> > keep repeating and work when it actually is enabled again.
> >
> > both of these are easy to reproduce.
> >
> > problem 1 - cat /dev/zero | nc ip-here 23 (ya ya dirty)
> > problem 2 - attempt login 3 times, or run script attached.
> >
> >
> > -Contacting APC -
> > Contacted APC via email and informed they of what had been found and
asked if
> > this was going to be addressed in the future. The response received back
was:
> >
> > "At this time the security on the web card is at its highest level. The
only
> > other suggestion is to make changes on the firewall."
> >
> > Well, not really what I wanted to hear but hey why not. I responded
inorder
> > to try one more time and received the same respone back.
> >
> >
> > altomo@nudehackers.com
> >
>
--
