OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: altomoNUDEHACKERS.COM
Date: Sun Feb 25 2001 - 21:30:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    altomonudehackers.com

    APC web/snmp management card

    Some APC products such as the symetra offer the option of adding a management
    card to allow an admin the ablilty to setup monitoring and notification. The
    card is accessable by snmp, web interface, and telnet. Itseems that only one
    telnet connection is allowed at a time.(problem 1). The telnet sesssion is
    authenticated by a user/password method, if the incorrect combination is
    entered 3 times no connections are allowed for the defined lockout time. Min.
    1 minute, max 10 minutes. (problem 2)

    Problem 1-

      Since only one connection is allowed to the telnet port an admin could be
    kept from connecting. Easy to reproduce.

    Problem 2- Lock out period. Lock out periods are a good thing, I really do
    like them. But when no one can connect its a bad thing. Since the lockout
    period can not be set to 0 an attacker could take advantage of this by sending
    3 incorrect login attempts to the unit and repeat every 60 secs using the
    minimal lockout time. Even if the admin has lockout set to 10 minutes it will
    keep repeating and work when it actually is enabled again.

    both of these are easy to reproduce.

    problem 1 - cat /dev/zero | nc ip-here 23 (ya ya dirty)
    problem 2 - attempt login 3 times, or run script attached.

    -Contacting APC -
    Contacted APC via email and informed they of what had been found and asked if
    this was going to be addressed in the future. The response received back was:

     "At this time the security on the web card is at its highest level. The only
      other suggestion is to make changes on the firewall."

    Well, not really what I wanted to hear but hey why not. I responded inorder
    to try one more time and received the same respone back.

    altomonudehackers.com