Home page logo

bugtraq logo Bugtraq mailing list archives

Re: APC UPS PowerChute PLUS exploit...
From: ipm () hp ufl edu (Iain P.C. Moffat)
Date: Mon, 13 Apr 1998 13:41:38 EASTERN

I could not say, but I would not be at all surprised.  APC had a
similar hole in earlier (pre mid last year) versions of their
powerchute nlm for netware.  When they released their Powerchute-VS
line the included software was able to manage (without
authentication) servers that were running the full version of
powerchute.  It basically allowed anyone to with the powerchute VS
software to manage the APC on the Powerchute server, and _yes_ you
could powerdown the server.  They do have newer version which should
fix this.  One of the versions is for Netware 4.x and supposedly
solves the problem via always authenticating to NDS.  I believe that
the version for Netware 3.x servers simply uses a new SAP type
(security through obscurity).  If this is the only change, then with
the appropriate tools (Powerchute-VS hacked to listen to the new SAP
type) then the newer NLM for netware 3.x would have the same
liabilities. Gotta love it!


On 13 Apr 98 at 5:53, Chris Liljenstolpe - Network wrote:


     I hope that this UDP port (I haven't looked at PowerChute) is just used
by the UPS's to report problems, and that PowerChute doesn't use that to
make critical decisions (like shutdown).  I know PowerChute CAN be used to
shutdown the system, I just don't know if that feature can be triggered by a
network reported event.  That makes for an even better exploit....


Iain P.C. Moffat
College of Health Professions
University of Florida
ipm () ufl edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]