Sign in to follow this  
Followers 0
systems_glitch

APC Management Card Vulns

1 post in this topic

I recently bought an APC AP9211 MasterSwitch, which is a remote controllable 8-outlet PDU. It's got 8 switchable standard outlets so you can poweron/poweroff/reboot machines remotely. It came with an AP9606 web/SNMP management card, which is usable in a bunch of older UPSes and such. The AP9211 is an older unit, but switching power on and off isn't very complicated, and the newer units mostly boast features I don't really need (built in power meters, "too much current" type alerts, et c.), so I bought a cheap AP9211 online. It of course came with an existing, non-reset configuration. The official guide sez to use a serial cable to reset passwords, but I didn't have a USB -> RS232 adapter on hand, so I looked for known vulnerabilities in the management card, and found this little gem:

 

http://mccltd.net/blog/?p=36

 

Looks like you can dump the EEPROM over a telnet session using a master password that the factory uses to configure new systems (setting things like MAC addresses). I fired up tcpdump and power-cycled the unit to try and figure out what IP/subnet it was configured for. Got an ARP request and grabbed it -- 10.24.40.18/16. Sure enough, telnet in, enter any username and the master password, and you end up in debug firmware! I was able to get the existing password from EEPROM and log in.

 

I could see maybe having this feature on the console port of the management card, but it sure does seem short-sighted to put it on the telnet interface! I wonder how many of these things are still in service -- betting quite a few, since the management cards work in a bunch of different APC products, and things like the MasterSwitch don't really become less useful with age.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0