[6510] in bugtraq
Re: APC UPS PowerChute PLUS exploit...
daemon@ATHENA.MIT.EDU (Iain P.C. Moffat)
Mon Apr 13 20:48:22 1998
Date: Mon, 13 Apr 1998 13:41:38 EASTERN
Reply-To: ipm@hp.ufl.edu
From: "Iain P.C. Moffat" <ipm@HP.UFL.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3388571334.892446801@h220-s104.mcmurdo.gov>
I could not say, but I would not be at all surprised. APC had a
similar hole in earlier (pre mid last year) versions of their
powerchute nlm for netware. When they released their Powerchute-VS
line the included software was able to manage (without
authentication) servers that were running the full version of
powerchute. It basically allowed anyone to with the powerchute VS
software to manage the APC on the Powerchute server, and _yes_ you
could powerdown the server. They do have newer version which should
fix this. One of the versions is for Netware 4.x and supposedly
solves the problem via always authenticating to NDS. I believe that
the version for Netware 3.x servers simply uses a new SAP type
(security through obscurity). If this is the only change, then with
the appropriate tools (Powerchute-VS hacked to listen to the new SAP
type) then the newer NLM for netware 3.x would have the same
liabilities. Gotta love it!
-Iain
On 13 Apr 98 at 5:53, Chris Liljenstolpe - Network wrote:
> Greetings,
>
> I hope that this UDP port (I haven't looked at PowerChute) is just used
> by the UPS's to report problems, and that PowerChute doesn't use that to
> make critical decisions (like shutdown). I know PowerChute CAN be used to
> shutdown the system, I just don't know if that feature can be triggered by a
> network reported event. That makes for an even better exploit....
>
> Chris
>
*******************************************
Iain P.C. Moffat
College of Health Professions
University of Florida
ipm@ufl.edu
*******************************************
