SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Router/Bridge/Hub)  >   3Com Router Vendors:   3Com
3Com OfficeConnect Wireless Gateway Discloses Configuration File to Remote Users
SecurityTracker Alert ID:  1021696
SecurityTracker URL:  http://securitytracker.com/id/1021696
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 10 2009
Impact:   Disclosure of authentication information, Disclosure of system information
Exploit Included:  Yes  
Version(s): Model 3CRWE554G72, Hardware version: 3COM_AP51_v01, Software version: 1.2.0 - Nov 14,2006
Description:   Luca Carettoni reported a vulnerability in the 3Com OfficeConnect Wireless Cable/DSL Gateway. A remote user can obtain sensitive information from the configuration file.

If the "Backup Configuration" system tool has been invoked by the administrator, a remote user can invoke the 'SaveCfgFile.cgi' script to obtain the 'config.bin' system configuration file, which contains configuration information, usernames, passwords, WIFI keys, and other potentially sensitive information.

A remote user on the Internet interface can exploit this flaw if "Remote Administration" has been enabled.

A demonstration exploit URL is provided:

http://[target]/SaveCfgFile.cgi

The vendor was notified on December 8, 2008, without response.

Impact:   A remote user can obtain the configuration file, which contains configuration information, usernames, passwords, WIFI keys, and other potentially sensitive information.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.3com.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 9 Feb 2009 16:48:02 +0100
Subject:  3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass

====================================================
Security Research Advisory

Vulnerability name:
"3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass"
Advisory number: LC-2008-05
Advisory URL: http://www.ikkisoft.com

====================================================
1) Affected Hardware/Software

* 3CRWE554G72
  (Hardware version: 3COM_AP51_v01, Software version: 1.2.0 - Nov 14,2006)

Product URL:
http://www.3com.com/products/en_US/detail.jsp?tab=features&sku=3CRWE554G72&pathtype=support

Other recent versions, as well as similar 3Com devices, may be affected
due to the shared firmware code base.

====================================================
2) Severity

Severity: Medium
Local/Remote: Remote

====================================================
3) Summary

"The 3Com OfficeConnect Wireless Cable/DSL Router is a high-speed, affordable,
and easy-to-use small office solution that lets wireless and wired PCs and
laptops securely share a single broadband Internet connection."

This device is very common due to the affordable price and versatility.
For these reasons it is widely installed by large telecom providers in
all Europe
(e.g. In Poland, Orange is currently deploying this device for its
residential DSL).

This device is prone to an authentication bypass vulnerability which permits
to retrieve the complete system configuration as well as the services
credentials (e.g. web console, wifi network).

====================================================
4) Vulnerability Details

The 3Com OfficeConnect Wireless Cable/DSL Router suffers an authentication
bypass vulnerability due to an improper authentication/authorization mechanism.

In order to manage the device, an easy to use web console is enabled by default
from the internal network and (optionally) from the Internet.
Even if the http daemon does not permit to access HTML pages and the
web console
without authentication, it is still possible to invoke and execute
existent CGI programs. Unfortunately, the "System
Tools-->Configuration-->Backup
Configuration" functionality saves the actual system configuration in a
persistent plain-text file named "config.bin" using a custom CGI program.
An unauthenticated user may directly invoke the "SaveCfgFile" CGI program and
easily download the system configuration containing configuration information,
users, passwords, wifi keys and other sensitive information.

Note: if the "Remote Administration" option is enabled, this vulnerability may
be exploited from the Internet as well.

Example of sensitive content within the "config.bin" file:
[...]
pppoe_username=xxxxxxxxxxxxxxx
pppoe_password=xxxxxxxxx
pppoe_service_name=xxxxxxxxx
[...]
mradius_username=xxxxxx
mradius_password=xxxxxx
mradius_secret=xxxxxxx
[...]
http_username=xxxxx
login_password=xxxxx
http_passwd=xxxxx
[...]
AuthName=xxxxxxx
AuthPassword=xxxx
snmpStatus=xxxxxxx
snmpRoCommunity=xxxxxxxx
snmpRwCommunity=xxxxxxxx
[...]
multi_dmz_wan_ip1=xxxxxxxxxx
[...]
lan_macaddr=xxxxxxxxxxxxx
[...]

Later on, looking for similar vulnerabilities in the Bugtraq database,
I've found a similar finding discovered by Patrik, cqure.net
(iDEFENSE Security Advisory 01.20.05). As far as I know and I can understand
from the firmware versions reported, this issue seems to be a further
authentication bypass technique due to an insufficient patch supplied
by the vendor.	

====================================================
5) Exploit

Attackers may exploit this flaw through a common web browser.

http://<IP>/SaveCfgFile.cgi

====================================================
6) Fix Information

To reduce the overall exploitability, disable the "Remote Administration"
option. However, a firmware update is required in order to resolve this issue.

====================================================
7) Time Table

08/12/2008 - Vendor notified via "3Com Vulnerability Disclosure Form"
??/??/???? - Vendor response.
??/??/???? - Vendor patch release.
09/02/2009 - Public disclosure.

====================================================
8) Credits

Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com

====================================================
9) Legal Notices

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information.
This information is provided as-is, as a free service to the community.
There are no warranties with regard to this information.
The author does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Permission is hereby granted for the redistribution of this alert, provided
that the content is not altered in any way, except reformatting, and that due
credit is given.

This vulnerability has been disclosed in accordance with the RFP
Full-Disclosure Policy v2.0, available at:
http://www.wiretrip.net/rfp/policy.html

====================================================


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC