SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Router/Bridge/Hub)  >  OfficeConnect Router (3Com) Vendors:  3Com
3Com OfficeConnect DSL Router Address Translation Hole Lets Remote Users Gain Unauthorized Access to Ports on Hosts Behind the Router
SecurityTracker Alert ID:  1004388
CVE Reference:  CAN-2002-0888   (Links to External Site)
Updated:  Feb 25 2004
Original Entry Date:  May 28 2002
Impact:  Host/resource access via network
Exploit Included:  Yes  
Version(s): Tested on V1.1.9 and V1.1.7 for the OCR812
Description:  An access control vulnerability was reported in 3Com's OfficeConnect Remote 812 ADSL router. A remote user may be able to gain access to systems behind the router when port address translation is used.

It is reported that, for systems behind the router, a remote user can connect to a port that is redirected using port address translation (PAT) and then immediately connect to a different port that is not subject to PAT redirection to gain access to the later port. Apparently, if this procedure is followed, the router will allow successive connections to any port using either TCP or UDP even though connection to the ports should be blocked by the router.

This can allow a remote user to conduct port scans against hosts that are behind the router and ostensibly protect by the router's packet filters.
Impact:  A remote user can connect to ports behind the router that are ostensibly blocked by the router.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.3com.com/ (Links to External Site)
Cause:  Access control error, State error
Reported By:  Ismael Briones <ismael@el-mundo.net>
Message History:   None.

 Source Message Contents
Date:  Mon, 27 May 2002 18:02:29 +0200
From:  Ismael Briones <ismael@el-mundo.net>
Subject:  Vulnerability in 3Com OfficeConnect Remote 812 ADSL Router

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title:         Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router
Date:        27-05-2002
Impact:     A vulnerability in PAT (Port Address Translation) allow access to
               all ports in the computer behind the router.
Author:     Ismael Briones Vilar (ismael@el-mundo.net)


PROBLEM SUMMARY:

    There is a problem in PAT(Port Address Translation) that can be used to
access all ports in the computer behind the router. When we try to connect to
a port that is not redirected to a computer behind the router using PAT,
there is no problem, the router don't allow this connection. But if before we
connect to a port redirected using PAT and inmediately we try to connect to
any port not redirected using PAT, the router allows the successive
connections to any port. The problem exists with TCP and with UDP.

     Probed in firmware versions:  V1.1.9 and V1.1.7 for the OCR812. For
     customers of SKU's 3CP4144  (Telefónica S.A. (Spain) use this model for
     DSL)

IMPACT:

   Allow access to all ports in the computer behind the router. If you find a
   port redirected using PAT, you can access all ports, make scans,..... and
   all you can imagine.

SOLUTION:

   Use firewalls in the computers behind the router or wait for a firmware
update   ;-)

STATUS:

   I have been searching 3Com web for an email to submit this bug, but i
haven't find any reference to security advisories. So i have decided to send
the advisorie to bugtraq first.



Special Thanks to: Pask, J.M. Gomez, Manolo and Morales.

- -- 
- --------------------------------------------------
Ismael Briones Vilar		Mundinteractivos - El Mundo      
Area de Internet		Pradillo, 42                     
ismael@el-mundo.net		28002 - Madrid (SPAIN, EU)       
http://www.elmundo.es/		Tel: (+34) 915864800 (Ext: 4615) 
				Fax: (+34) 915864480
- --------------------------------------------------
GPG PubKey:
fingerprint: 8FD8 1450 29AC 5B5F 4186  0417 B67A 978F 281C D54F
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0x281CD54F
- --------------------------------------------------

"Technically, Windows is an 'operating system,' which means that 
it supplies your computer with the basic commands that it needs 
to suddenly, with no warning whatsoever, stop operating."
						Dave Barry

"Good artists copy, great artists steal."    
		      Pablo Picasso


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE88liYtnqXjygc1U8RAivlAJ9xqUIbtWagqvTIEknJkranCbc6oACffbRB
gVyScjBN7d4Wj0Rf9kZoG5U=
=vg59
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC