lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200410181414.10696.cb-lse@ifrance.com>
From: cb-lse at ifrance.com (Cyrille Barthelemy)
Subject: 3COM 3crwe754g72-a Information Disclosure, Logs manipulation ...

Title: 3com 3crwe754g72-a Information Disclosure
Class: Design Error
Affects:
 3com 3crwe754g72-a 
      v 1.11
      v 1.13
      v 1.24
Id: cbsa-0000
Release Date: 2004 10 18
Author : Cyrille Barthelemy <cb-publicbox@...ance.com>




-- 1. Introduction 
------------------
3Com 3crwe754g72-a is a bundle product which provides various services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp node ...).
All services are manageable using a web interface.

This product suffers from the following vulnerability :
     - information disclosure
     - clear text information storage
     - bad authentication design

which lead to some risks :
     - password and wep key retrieval
     - administrator logout by a third party
     - log clean


-- 2. Information disclosure
---------------------------
The product allows only one administrator to manage the device at the same 
time, when another client connect to the interface, the device display the ip 
address of the current administrator.
The web server has an Ip based authentication, using this we can reconfigure 
our network interface to use the same ip and access to the device.


-- 3. Clear text information storage
------------------------------------
Using the previous information, the device allow us to fetch its current 
configuration using, accessing the following URL : 
'http://192.168.0.1/cgi-bin/config.bin'

This file contain the following interestant informations (offets may vary with 
versions)
 - clear text administrator password (offset 0x68, 0xE20 and 0xE7F0)
 - clear text wep key (offset 0xDD70)
 - wep passphrase (offset 0xDDDC)

-- 4. Administrator logout
--------------------------
With the same technique it is possible to logout the currently logged 
administrator using

user% wget http://192.168.0.1/cgi-bin/logout.exe

-- 5. Log cleaning
------------------
With the same technique all traces can be erased using the command

user% w3c -post http://192.168.0.1/cgi-bin/statusprocess.exe -form 
"securityclear=1"


-- 6. Solution
--------------
Apply the fix released by 3com available at :
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc

-- 8. References
----------------
   - 3com website 
     http://www.3com.com/support


-- 11. History
--------------
2004-07-02.
 - Vulnerability discovered
2004-08-24
 - 3com contacted at security@...m.com
2004-09-08
 - vendor response
2004-10-14
 - patch available

-- 12. Contact information
------------------------
Cyrille Barthelemy <cb-publicbox@...ance.com>
Web Site : http://www.cyrille-barthelemy.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ