[Full-Disclosure] 3COM 3crwe754g72-a Administration interface code injection (DHCP)
From: Cyrille Barthelemy (cb-publicbox_at_ifrance.com)
Date: 10/18/04
- Previous message: Karol Wiêsek: "[Full-Disclosure] cPanel hardlink backup issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Mon, 18 Oct 2004 14:17:48 +0200
Title: 3COM 3crwe754g72-a Administration interface code injection
Class: Design error
Affects:
3com 3crwe754g72-a
v 1.11
v 1.13
v 1.24
Id: cbsa-0001
Release Date: 2004-10-18
Author : Cyrille Barthelemy <cb-publicbox@ifrance.com>
-- 1. Introduction
------------------
3Com 3crwe754g72-a is a bundle product which provides misc services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp agent ...).
All services are manageable using a web interface.
As reported in a previous advisory this product suffer from various
vulnerability. The way DHCP REQUEST are handled allow an attacker to inject
code into the administration interface.
-- 2. Problem
-------------
The web interface used to administrate the router display a list of the DHCP
client with the following informations :
- ip address allocated
- hostname
- MAC address
The second information can be submitted by a client using DHCP options, and no
content filtering will be done by the dhcp daemon or the web interface.
-- 3. Exploitation
------------------
The exploitation can be made using the DHCPing program with the following
invocation:
root# dhcping -opttype 'REQUEST' -opthostname '<h1>Oops</h1>' -z
The injection seems is limited to 20 characters, but this limitation can be
bypassed using the same technique descrubed by Gregory Duchemin (see
References)
-- 4. Solution
--------------
Apply the firmware upgrade available at 3com support site :
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc
-- 5. References
----------------
- 3com website
http://www.3com.com
- DHCPing web site
http://dhcping.openwall.net
- DLINK 614+, script injection vulnerability
http://securityfocus.com/archive/1/366615/2004-06-21/2004-06-27/0
-- 10. History
--------------
2004-07-02.
- Vulnerability discovered
2004-08-24
- 3com contacted at security@3com.com
2004-09-08
- vendor response
2004-10-14
- patch available
-- 11. Contact information
------------------------
Cyrille Barthelemy <cb-publicbox@ifrance.com>
Web Site : http://www.cyrille-barthelemy.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Karol Wiêsek: "[Full-Disclosure] cPanel hardlink backup issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
