Bugtraq mailing list archives
Re: FW: APC UPS PowerChute PLUS exploit...
From: jesus () OMNITI COM (Theo Schlossnagle)
Date: Thu, 13 Aug 1998 18:55:07 -0400
Andre M. Hedrick wrote:
WRT "PowerChute" and "WebAgent", Words from "Ted Ives", APCC's software production manager of "PC" and "WA", there is no way for TCP access. PowerChute is not capable of doing network sharing protocols. I know this for a fact from conversations with Ted and Ken A., senior unix programmer. They use the UDP access through a SNMP port that can not be disclosed. As for granting of TCP access, you are required to run a remote webserver with "WebAgent" overlaid, somehow, to broadcast UPS status from "PowerChute" to that "remote webserver". Thus IMHO, there is no way for you to easily punch a hole in that security method, due the difficulty is maintaining a UDP connection as an unlisted manager. Since the service port is below 2000, you run into the super user status limits.
I don't know if I understand you correctly, but the UDP broadcasts from upsd running on the system with the APCC plugged into it are not only easy to read, they are also easy to spoof. If one machine is relying on these UDP packets (e.g. shutting down if one comes in with a "on battery" for a certain period of time) this could be BAD. As far as I know, no one is that naive. But the UDP port that status requests and responses are sent on are 654[789]. An easy way to crash it is send a spurious packet to 6549. My program earlier posted on BugTraq (downupsd.c) did this. I have also written numerous programs that monitor UPSs from afar using this UDP status mechanism. I actually keep these running despite the security mechanisms (none of my machines depend on info from them AND no one that I know of has exploited to a root shell through this) in order to monitor building surges and wiring faults. (pretty nifty use and CHEAP when you compare the price of a few SmartUPSs you ALREADY own and hiring a professional to come in and hang out until something bad happens). If anyone is interested in communications over UDP with the APCC upsd daemon write me personally, it has no place on BugTraq. -- Theo Schlossnagle Senior Systems Engineer 33131B65/2047/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 DISCLAIMER: The spelling and grammar usage above does not reflect the intelligence of the author. A sendmail patch provides pre-delivery grammar and spelling mutation to reduce certain suspicions concerning the author's whereabouts and activities.
Current thread:
- Re: APC UPS PowerChute PLUS exploit... Peter Radcliffe (Apr 14)
- Re: APC UPS PowerChute PLUS exploit... Doug Hughes (Aug 12)
- Re: APC UPS PowerChute PLUS exploit... Roger Espel Llima (Aug 12)
- FlowPoint 2000 DSL Routers.. chris (Aug 13)
- Re: APC UPS PowerChute PLUS exploit... Peter Gervai (Aug 14)
- <Possible follow-ups>
- Re: APC UPS PowerChute PLUS exploit... der Mouse (Aug 12)
- Re: FW: APC UPS PowerChute PLUS exploit... Andre M. Hedrick (Aug 12)
- Re: FW: APC UPS PowerChute PLUS exploit... Theo Schlossnagle (Aug 13)