SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Router/Bridge/Hub)  >   3Com Router Vendors:   3Com
3Com OfficeConnect ADSL Wireless 11g Firewall Authentication Flaw May Let Remote Users Hijack Sessions and DHCP Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1011771
SecurityTracker URL:  http://securitytracker.com/id/1011771
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 18 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Model 3CRWE754G72-A
Description:   Several vulnerabilities were reported in the 3Com OfficeConnect ADSL Wireless 11g Firewall (Model 3CRWE754G72-A). A remote user can conduct a cross-site scripting attack against the administrator. A remote user may be also able to hijack an administrative session.

Cyrille Barthelemy reported that the device does not filter HTML code from DHCP requests before displaying the information via the administrative interface. A remote user can send a specially crafted request. Then, when the target administrator reviews the log, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the device's web interface and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

A demonstration exploit is provided:

dhcping -opttype 'REQUEST' -opthostname '<h1>Oops</h1>' -z

It is also reported that a remote user can connect to the management interface to determine the IP address of any administrator that is currently logged in (if any). Then, the remote user may be able to spoof the IP address and hijack the connection.

It is also reported that a remote authenticated user (or a remote user with the ability to hijack an administrative session as previously described) can access the binary configuration file to obtain the administrator password, WEP key, and WEP passphrase. The configuration file URL is:

http://192.168.0.1/cgi-bin/config.bin

A remote authenticated user (or a remote user that has hijacked the administrative session) can clear the log file. A demonstration exploit command is provided:

w3c -post http://192.168.0.1/cgi-bin/statusprocess.exe -form "securityclear=1"

The vendor was notified on August 24, 2004.
Impact:   A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the vulnerable software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

A remote user may be able to hijack and administrative session, and can then access the administrator's password and the WEP key and passphrase.
Solution:   The vendor has issued a fix, available at:

http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc
Vendor URL:  www.3com.com/prod/pl_PL_EMEA/detail.jsp?tab=features&sku=3CRWE754G72-A (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Mon, 18 Oct 2004 14:14:10 +0200
Subject:  [Full-Disclosure] 3COM 3crwe754g72-a Information Disclosure, Logs manipulation ...


Title: 3com 3crwe754g72-a Information Disclosure
Class: Design Error
Affects:
 3com 3crwe754g72-a 
      v 1.11
      v 1.13
      v 1.24
Id: cbsa-0000
Release Date: 2004 10 18
Author : Cyrille Barthelemy <cb-publicbox@ifrance.com>




-- 1. Introduction 
------------------
3Com 3crwe754g72-a is a bundle product which provides various services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp node ...).
All services are manageable using a web interface.

This product suffers from the following vulnerability :
     - information disclosure
     - clear text information storage
     - bad authentication design

which lead to some risks :
     - password and wep key retrieval
     - administrator logout by a third party
     - log clean


-- 2. Information disclosure
---------------------------
The product allows only one administrator to manage the device at the same 
time, when another client connect to the interface, the device display the ip 
address of the current administrator.
The web server has an Ip based authentication, using this we can reconfigure 
our network interface to use the same ip and access to the device.


-- 3. Clear text information storage
------------------------------------
Using the previous information, the device allow us to fetch its current 
configuration using, accessing the following URL : 
'http://192.168.0.1/cgi-bin/config.bin'

This file contain the following interestant informations (offets may vary with 
versions)
 - clear text administrator password (offset 0x68, 0xE20 and 0xE7F0)
 - clear text wep key (offset 0xDD70)
 - wep passphrase (offset 0xDDDC)

-- 4. Administrator logout
--------------------------
With the same technique it is possible to logout the currently logged 
administrator using

user% wget http://192.168.0.1/cgi-bin/logout.exe

-- 5. Log cleaning
------------------
With the same technique all traces can be erased using the command

user% w3c -post http://192.168.0.1/cgi-bin/statusprocess.exe -form 
"securityclear=1"


-- 6. Solution
--------------
Apply the fix released by 3com available at :
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc

-- 8. References
----------------
   - 3com website 
     http://www.3com.com/support


-- 11. History
--------------
2004-07-02.
 - Vulnerability discovered
2004-08-24
 - 3com contacted at security@3com.com
2004-09-08
 - vendor response
2004-10-14
 - patch available

-- 12. Contact information
------------------------
Cyrille Barthelemy <cb-publicbox@ifrance.com>
Web Site : http://www.cyrille-barthelemy.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC