lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200410181417.48929.cb-publicbox@ifrance.com>
From: cb-publicbox at ifrance.com (Cyrille Barthelemy)
Subject: 3COM 3crwe754g72-a Administration interface code injection (DHCP)

Title: 3COM 3crwe754g72-a Administration interface code injection
Class: Design error
Affects:
 3com 3crwe754g72-a 
      v 1.11
      v 1.13
      v 1.24
Id: cbsa-0001
Release Date: 2004-10-18
Author : Cyrille Barthelemy <cb-publicbox@...ance.com>

-- 1. Introduction 
------------------
3Com 3crwe754g72-a is a bundle product which provides misc services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp agent ...).
All services are manageable using a web interface.

As reported in a previous advisory this product suffer from various 
vulnerability. The way DHCP REQUEST are handled allow an attacker to inject
code into the administration interface.

-- 2. Problem
-------------
The web interface used to administrate the router display a list of the DHCP
client with the following informations :
       - ip address allocated
       - hostname
       - MAC address
The second information can be submitted by a client using DHCP options, and no
content filtering will be done by the dhcp daemon or the web interface.


-- 3. Exploitation
------------------
The exploitation can be made using the DHCPing program with the following 
invocation:

root# dhcping -opttype 'REQUEST' -opthostname '<h1>Oops</h1>' -z

The injection seems is limited to 20 characters, but this limitation can be 
bypassed using the same technique descrubed by Gregory Duchemin (see 
References)


-- 4. Solution
--------------
Apply the firmware upgrade available at 3com support site :
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc

-- 5. References
----------------
   - 3com website 
     http://www.3com.com

   - DHCPing web site 
     http://dhcping.openwall.net

   - DLINK 614+, script injection vulnerability
     http://securityfocus.com/archive/1/366615/2004-06-21/2004-06-27/0

-- 10. History
--------------
2004-07-02.
 - Vulnerability discovered
2004-08-24
 - 3com contacted at security@...m.com
2004-09-08
 - vendor response
2004-10-14
 - patch available

-- 11. Contact information
------------------------
Cyrille Barthelemy <cb-publicbox@...ance.com>
Web Site : http://www.cyrille-barthelemy.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ