Sign in to follow this  
Followers 0

APC Management Card Vulns

1 post in this topic

I recently bought an APC AP9211 MasterSwitch, which is a remote controllable 8-outlet PDU. It's got 8 switchable standard outlets so you can poweron/poweroff/reboot machines remotely. It came with an AP9606 web/SNMP management card, which is usable in a bunch of older UPSes and such. The AP9211 is an older unit, but switching power on and off isn't very complicated, and the newer units mostly boast features I don't really need (built in power meters, "too much current" type alerts, et c.), so I bought a cheap AP9211 online. It of course came with an existing, non-reset configuration. The official guide sez to use a serial cable to reset passwords, but I didn't have a USB -> RS232 adapter on hand, so I looked for known vulnerabilities in the management card, and found this little gem:


Looks like you can dump the EEPROM over a telnet session using a master password that the factory uses to configure new systems (setting things like MAC addresses). I fired up tcpdump and power-cycled the unit to try and figure out what IP/subnet it was configured for. Got an ARP request and grabbed it -- Sure enough, telnet in, enter any username and the master password, and you end up in debug firmware! I was able to get the existing password from EEPROM and log in.


I could see maybe having this feature on the console port of the management card, but it sure does seem short-sighted to put it on the telnet interface! I wonder how many of these things are still in service -- betting quite a few, since the management cards work in a bunch of different APC products, and things like the MasterSwitch don't really become less useful with age.


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0