[Full-Disclosure] 3COM 3crwe754g72-a Information Disclosure, Logs manipulation ...
From: Cyrille Barthelemy (cb-lse_at_ifrance.com)
Date: 10/18/04
- Previous message: Thierry Carrez: "[Full-Disclosure] [ GLSA 200410-14 ] phpMyAdmin: Vulnerability in MIME-based transformation system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Mon, 18 Oct 2004 14:14:10 +0200
Title: 3com 3crwe754g72-a Information Disclosure
Class: Design Error
Affects:
3com 3crwe754g72-a
v 1.11
v 1.13
v 1.24
Id: cbsa-0000
Release Date: 2004 10 18
Author : Cyrille Barthelemy <cb-publicbox@ifrance.com>
-- 1. Introduction
------------------
3Com 3crwe754g72-a is a bundle product which provides various services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp node ...).
All services are manageable using a web interface.
This product suffers from the following vulnerability :
- information disclosure
- clear text information storage
- bad authentication design
which lead to some risks :
- password and wep key retrieval
- administrator logout by a third party
- log clean
-- 2. Information disclosure
---------------------------
The product allows only one administrator to manage the device at the same
time, when another client connect to the interface, the device display the ip
address of the current administrator.
The web server has an Ip based authentication, using this we can reconfigure
our network interface to use the same ip and access to the device.
-- 3. Clear text information storage
------------------------------------
Using the previous information, the device allow us to fetch its current
configuration using, accessing the following URL :
'http://192.168.0.1/cgi-bin/config.bin'
This file contain the following interestant informations (offets may vary with
versions)
- clear text administrator password (offset 0x68, 0xE20 and 0xE7F0)
- clear text wep key (offset 0xDD70)
- wep passphrase (offset 0xDDDC)
-- 4. Administrator logout
--------------------------
With the same technique it is possible to logout the currently logged
administrator using
user% wget http://192.168.0.1/cgi-bin/logout.exe
-- 5. Log cleaning
------------------
With the same technique all traces can be erased using the command
user% w3c -post http://192.168.0.1/cgi-bin/statusprocess.exe -form
"securityclear=1"
-- 6. Solution
--------------
Apply the fix released by 3com available at :
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc
-- 8. References
----------------
- 3com website
http://www.3com.com/support
-- 11. History
--------------
2004-07-02.
- Vulnerability discovered
2004-08-24
- 3com contacted at security@3com.com
2004-09-08
- vendor response
2004-10-14
- patch available
-- 12. Contact information
------------------------
Cyrille Barthelemy <cb-publicbox@ifrance.com>
Web Site : http://www.cyrille-barthelemy.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Thierry Carrez: "[Full-Disclosure] [ GLSA 200410-14 ] phpMyAdmin: Vulnerability in MIME-based transformation system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
