[7663] in bugtraq
Re: FW: APC UPS PowerChute PLUS exploit...
daemon@ATHENA.MIT.EDU (Theo Schlossnagle)
Thu Aug 13 21:30:18 1998
Date: Thu, 13 Aug 1998 18:55:07 -0400
Reply-To: jesus@OMNITI.COM
From: Theo Schlossnagle <jesus@OMNITI.COM>
X-To: "Andre M. Hedrick" <hedrick@Astro.Dyer.Vanderbilt.Edu>
To: BUGTRAQ@NETSPACE.ORG
Andre M. Hedrick wrote:
>
> WRT "PowerChute" and "WebAgent",
>
> Words from "Ted Ives", APCC's software production manager of "PC" and "WA",
> there is no way for TCP access. PowerChute is not capable of doing
> network sharing protocols. I know this for a fact from conversations with
> Ted and Ken A., senior unix programmer. They use the UDP access through a
> SNMP port that can not be disclosed. As for granting of TCP access, you
> are required to run a remote webserver with "WebAgent" overlaid, somehow,
> to broadcast UPS status from "PowerChute" to that "remote webserver".
>
> Thus IMHO, there is no way for you to easily punch a hole in that security
> method, due the difficulty is maintaining a UDP connection as an unlisted
> manager. Since the service port is below 2000, you run into the super
> user status limits.
I don't know if I understand you correctly, but the UDP broadcasts from
upsd running on the system with the APCC plugged into it are not only
easy to read, they are also easy to spoof. If one machine is relying on
these UDP packets (e.g. shutting down if one comes in with a "on
battery" for a certain period of time) this could be BAD. As far as I
know, no one is that naive. But the UDP port that status requests and
responses are sent on are 654[789]. An easy way to crash it is send a
spurious packet to 6549. My program earlier posted on BugTraq
(downupsd.c) did this. I have also written numerous programs that
monitor UPSs from afar using this UDP status mechanism. I actually keep
these running despite the security mechanisms (none of my machines
depend on info from them AND no one that I know of has exploited to a
root shell through this) in order to monitor building surges and wiring
faults. (pretty nifty use and CHEAP when you compare the price of a few
SmartUPSs you ALREADY own and hiring a professional to come in and hang
out until something bad happens).
If anyone is interested in communications over UDP with the APCC upsd
daemon write me personally, it has no place on BugTraq.
--
Theo Schlossnagle
Senior Systems Engineer
33131B65/2047/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
DISCLAIMER: The spelling and grammar usage above does not reflect the
intelligence of the author. A sendmail patch provides pre-delivery
grammar and spelling mutation to reduce certain suspicions concerning
the
author's whereabouts and activities.
