Bugtraq mailing list archives

Re: FW: APC UPS PowerChute PLUS exploit...

From: jesus () OMNITI COM (Theo Schlossnagle)
Date: Thu, 13 Aug 1998 18:55:07 -0400


Andre M. Hedrick wrote:


WRT "PowerChute" and "WebAgent",

Words from "Ted Ives", APCC's software production manager of "PC" and "WA",
there is no way for TCP access.  PowerChute is not capable of doing
network sharing protocols.  I know this for a fact from conversations with
Ted and Ken A., senior unix programmer.  They use the UDP access through a
SNMP port that can not be disclosed.  As for granting of TCP access, you
are required to run a remote webserver with "WebAgent" overlaid, somehow,
to broadcast UPS status from "PowerChute" to that "remote webserver".

Thus IMHO, there is no way for you to easily punch a hole in that security
method, due the difficulty is maintaining a UDP connection as an unlisted
manager.  Since the service port is below 2000, you run into the super
user status limits.


I don't know if I understand you correctly, but the UDP broadcasts from
upsd running on the system with the APCC plugged into it are not only
easy to read, they are also easy to spoof.  If one machine is relying on
these UDP packets (e.g. shutting down if one comes in with a "on
battery" for a certain period of time) this could be BAD.  As far as I
know, no one is that naive.  But the UDP port that status requests and
responses are sent on are 654[789].  An easy way to crash it is send a
spurious packet to 6549.  My program earlier posted on BugTraq
(downupsd.c) did this.  I have also written numerous programs that
monitor UPSs from afar using this UDP status mechanism.  I actually keep
these running despite the security mechanisms (none of my machines
depend on info from them AND no one that I know of has exploited to a
root shell through this) in order to monitor building surges and wiring
faults. (pretty nifty use and CHEAP when you compare the price of a few
SmartUPSs you ALREADY own and hiring a professional to come in and hang
out until something bad happens).
If anyone is interested in communications over UDP with the APCC upsd
daemon write me personally, it has no place on BugTraq.


--
Theo Schlossnagle
Senior Systems Engineer
33131B65/2047/71 F7 95 64 49 76 5D BA  3D 90 B9 9F BE 27 24 E7

DISCLAIMER:  The spelling and grammar usage above does not reflect the
intelligence of the author.  A sendmail patch provides pre-delivery
grammar and spelling mutation to reduce certain suspicions concerning
the
author's whereabouts and activities.

Current thread:

Re: APC UPS PowerChute PLUS exploit... Peter Radcliffe (Apr 14)
- Re: APC UPS PowerChute PLUS exploit... Doug Hughes (Aug 12)
- Re: APC UPS PowerChute PLUS exploit... Roger Espel Llima (Aug 12)
  - FlowPoint 2000 DSL Routers.. chris (Aug 13)
  - Re: APC UPS PowerChute PLUS exploit... Peter Gervai (Aug 14)
- <Possible follow-ups>
- Re: APC UPS PowerChute PLUS exploit... der Mouse (Aug 12)
- Re: FW: APC UPS PowerChute PLUS exploit... Andre M. Hedrick (Aug 12)
- Re: FW: APC UPS PowerChute PLUS exploit... Theo Schlossnagle (Aug 13)