Bugtraq mailing list archives
Security flaw with Powerchute Plus 4.2 and a fix
From: aleph1 () DFW NET (Aleph One)
Date: Wed, 7 May 1997 11:32:46 -0500
From: Ken Sallot <KEN () CONDOR CIRCA UFL EDU> Date: Fri, 2 May 1997 09:14:40 -0700 Message-ID: <107BA2F140C () condor circa ufl edu> Newsgroups: bit.listserv.novell MIME-Version: 1.0 Fellow Powerchute users, Last week I discovered a major security flaw with APC's Powerchute Plus v4.2 for Netware (a graceful shutdown software). Due to the nature of the security flaw I will not go into the details here, but let me just say it can cause a loss of service to your users. Please do not email me for details on this matter as I've got a busy work week ahead of me. This flaw has been verified by several other people at the University of Florida, and APC has been notified of it and are working on a fix. I've done some testing this morning, and I've found a solution that works, but for some it may be giving up more then you want. Powerchute broadcasts SAP type 37e, not 004, not 107, not 160. Enabling a SAP filter on the outgoing IPX packets on each of your file servers running powerchute of sap type 37e, and specifically that file server, will prevent the flawed powerchute client from ever finding the server. This is also a more secure way of preventing people from attacking the server (if there is a filter only on the subnet router, what is to prevent people on your subnet attacking your server). In Netware 4.1/4.11 this can be done easily enough. I am not addressing Netware 3 because I do not work in a Netware 3 shop, but I have it on good faith that it can be done if one reads the manual. Make sure you have all of the powerchute NLM's loaded. Load INETCFG, enable filtering support under the IPX protocol options menu. Load FILTCFG, select IPX, select outgoing SAP filters, enable it, action should be "Deny services in Filter List", then press enter on the option "Filters". Press insert to add a new filter, Press insert on the option for the service name, when the scroller comes up type "PC" which should bring you to the start of the Powerchute SAPs, find your file server name in there and press enter. Go to "Service Type", press enter. Enter "37e" (the powerchute SAP type). Press Enter. Go to the comment field and write some duragatory remark about how powerchute security must have been designed by the engineers at Microsoft (or whatever you like). Press F10 to save the entry. Press escape and yes until you're back at the console prompt. Now, very important, type "REINITIALIZE SYSTEM". No connections should be lost, but the filtering will go in effect. Sit back, wait two minutes, load up the powerchute windows client and see if your server shows up. If it doesn't, you did good. Powerchute will still function in it's capacity to do a graceful shutdown. However, it will not work in it's capacity to be remotely managed. If you can live with this, then you may use this workaround. Good luck, Ken Sallot CIRCA, The University of Florida 352-392-2007
Current thread:
- Security flaw with Powerchute Plus 4.2 and a fix Aleph One (May 07)