Date: Ср, 24 ноя 1999 23:44:01
От: Mark Frieden <mfrieden@ARIZONA.EDU>
Кому: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Тема: APC PowerChute Plus 5.1 NT (Denial of Service Attack).
--------------------------------------------------------------------------------
A letter to APC (American Power Conversions Inc.):
I have discovered a "Denial of Service attack" on your PowerChute Plus 5.1
(Windows NT) software.
I was doing some port scans of our servers to see what all was running. I
noticed that two of our servers (which also happen to be connected to
SmartUPS 2200 w/serial cable and running PowerChute Plus 5.1 NT) had ports
6667 and 6668 available. I was alarmed because 6667 and 6668 are typically
used for IRC (Internet Relay Chat). In the recent past we had some
computers broken into for use as IRC clients/servers.
I tried to connect to the servers with a standard IRC client configured for
port 6667. The connection was refused. So at least the servers where not
open to just anyone.
Then I noticed that the UPS Service (PowerChute 5.1) was not running on the
server. The service apparently just crashed. There was no indication of
"Stopped" or "Started" when looking at NT Services. Just a blank. I then
started the UPS Service and it came up just fine. I tried the IRC
connection again and once again the UPS Service stopped running. I tried
connecting to the server with the PowerChute Plus 5.1 client on my PC. It
was not able to find the server until I started the UPS Service again.
I also tried connecting with a remote IRC client (outside our subnet and
outside the University campus). Again the UPS Service crashed and had to be
restarted.
This behavior occurs with both of our NT servers that are connected to
SmartUPS 2200's with the same PowerChute Plus 5.1 version installed.
It appears that anyone with readily obtainable IRC client software can
attempt a connection and crash the NT UPS PowerChute Service from anywhere
on the Internet.
I brought this to the attention of APC and here is what they sent back:
Mark,
Thanks for running this by this, this sort of thing is of course a high
priority for us.
I checked with our development team, this issue was discovered internally
and has been
fixed in 5.2 to the degree that PowerChute can't be crashed by IRC
software. Still uses
the same ports however, we have been looking at changing that in a future
rev but
your point about not being able to get graceful shutdown on an IRC is a
good one, we need
to look at re-prioritizing that.
5.2 for NT 4.0 should ship around the end of December (before the W2K
version). If you
could download the beta off our web site and beat the heck out of it & give
it your best
shot at crashing we'd appreciate it - we've had good luck in our
development labs but
it helps a lot to have people beating on it.
Thanks and if you find any other issues please let me know,
Ted Ives
PowerChute plus Product Manager
Some additional notes:
I only have production servers so I don't plan on downloading and installing
the 5.2 Beta version of their software.
I shut off ports 6667 and 6668 (both local and destination ports) to our
VLAN so that we are now protected from this attack. It also means that no
one can do IRC in or out of our building.
=================================================
Mark Frieden
Systems & Network Manager
Optical Sciences Center
University of Arizona
Tucson, AZ 85721
mfrieden@Arizona.EDU
http://www.optics.arizona.edu/systems Voice: 520.621.8838
