Bugtraq mailing list archives
Re: APC UPS PowerChute PLUS exploit...
From: ipm () hp ufl edu (Iain P.C. Moffat)
Date: Mon, 13 Apr 1998 13:41:38 EASTERN
I could not say, but I would not be at all surprised. APC had a similar hole in earlier (pre mid last year) versions of their powerchute nlm for netware. When they released their Powerchute-VS line the included software was able to manage (without authentication) servers that were running the full version of powerchute. It basically allowed anyone to with the powerchute VS software to manage the APC on the Powerchute server, and _yes_ you could powerdown the server. They do have newer version which should fix this. One of the versions is for Netware 4.x and supposedly solves the problem via always authenticating to NDS. I believe that the version for Netware 3.x servers simply uses a new SAP type (security through obscurity). If this is the only change, then with the appropriate tools (Powerchute-VS hacked to listen to the new SAP type) then the newer NLM for netware 3.x would have the same liabilities. Gotta love it! -Iain On 13 Apr 98 at 5:53, Chris Liljenstolpe - Network wrote:
Greetings, I hope that this UDP port (I haven't looked at PowerChute) is just used by the UPS's to report problems, and that PowerChute doesn't use that to make critical decisions (like shutdown). I know PowerChute CAN be used to shutdown the system, I just don't know if that feature can be triggered by a network reported event. That makes for an even better exploit.... Chris
******************************************* Iain P.C. Moffat College of Health Professions University of Florida ipm () ufl edu *******************************************
Current thread:
- APC UPS PowerChute PLUS exploit... Theo Schlossnagle (Apr 10)
- MGE UPS Systems Ryan Murray (Apr 12)
- Re: MGE UPS Systems Theo de Raadt (Apr 13)
- DNS Tunnel - through bastion hosts Oskar Pearson (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Richard Peters (Apr 13)
- GSM SIMs cloned ! Rop Gonggrijp (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Pascal Gienger (Apr 13)
- (follow-up) Wietse's RPCBIND Chiaki Ishikawa (Apr 13)
- <Possible follow-ups>
- Re: APC UPS PowerChute PLUS exploit... Chris Liljenstolpe - Network Engineer (Apr 12)
- Re: APC UPS PowerChute PLUS exploit... Iain P.C. Moffat (Apr 13)
- IRIX LicenseManager(1M) Vulnerabilities SGI Security Coordinator (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Rick Perry (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Pascal Gienger (Apr 14)
- Re: APC UPS PowerChute PLUS exploit... Scott Stone (Apr 14)
- New possible exploit for 2.0.33 (kfree_skb error) Paul (Apr 15)
- Re: New possible exploit for 2.0.33 (kfree_skb error) Alan Cox (Apr 15)
- Linux 2.0.33 vulnerability: fragment patterns Alan Cox (Apr 16)
- Linux 2.0.33 vulnerability: oversized packets Michal Zalewski (Apr 17)
- Linux 2.0.34pre10: Summary of fixed vulnerabilities Alan Cox (Apr 20)
- Re: Linux 2.0.33 vulnerability: oversized packets Jon Lewis (Apr 20)
- MGE UPS Systems Ryan Murray (Apr 12)