[NEWS] 3Com OfficeConnect Wireless 11g AP Information Disclosure
From: SecuriTeam (support_at_securiteam.com)
Date: 01/23/05
- Previous message: SecuriTeam: "[UNIX] KOffice PDF Import Filter Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 23 Jan 2005 14:32:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
3Com OfficeConnect Wireless 11g AP Information Disclosure
------------------------------------------------------------------------
SUMMARY
The
<http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3CRWE454G72> 3Com OfficeConnect Wireless 11g Access Point "provides users with access to network resources, the Internet, and e-mail at speeds up to 54 Mbps and at distances up to 100 meters (328 feet)".
Remote exploitation of an input validation vulnerability in 3Com Corp.'s
OfficeConnect Wireless 11g Access Point allows attackers to glean
sensitive router information.
DETAILS
Vulnerable Systems:
* 3Com OfficeConnect Wireless 11g firmware version 1.00.08
Immune Systems:
* 3Com OfficeConnect Wireless 11g firmware version 1.03.07A
The 3Com OfficeConnect Wireless 11g Access Point (AP) provides an
administrative interface via a web server accessible on port 80. This
interface is exposed by default on the internal Ethernet interface and the
wireless interface, and it is also possible to expose it on the external
Ethernet interface. The problem specifically exists due to insufficient
privilege checks when accessing various URLs without going through the
formal logon process. An unauthenticated attacker can glean sensitive
information from the device via the following URLs:
/main/config.bin
/main/profile.wlp?PN=ggg
/main/event.logs
These URLs will expose the administrative username and password in clear
text, the WEP key and SSID, and the router log file respectively.
Analysis:
Successful exploitation allows remote attackers to glean sensitive router
information, allowing the attacker to gain full control of the device.
Compromise of the Access Point (AP) allows an attacker to potentially
redirect traffic, access nodes behind the AP that are otherwise
unaddressable and potentially monitor traffic from a remote location. This
can lead to further compromise of other computers.
Vendor reseponse:
Firmware version 1.03.07A for 3CRWE454G72 has been released to addresses
the vulnerability.
<http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&order=desc&sku=3CRWE454G72> http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&order=desc&sku=3CRWE454G72
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0112>
CAN-2005-0112
Disclosure Timeline:
12/21/2004 - Initial vendor notification - No response
01/06/2005 - Secondary vendor notification
01/07/2005 - Initial vendor response
01/20/2004 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:customerservice@idefense.com> iDefense Customer Service.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=188&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=188&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] KOffice PDF Import Filter Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] 3Com DSL Router Administrative Interface Long Request DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... OfficeConnect is a router widely
used in the world. ... rebooted due to a flaw in its web administration interface. ...
every LAN user can cause a crash and reboot of the router, ... (Securiteam) - [NEWS] F5 BIG-IP Web Management Console CSRF
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... F5 BIG-IP Web Management
Console CSRF ... BIG-IP web management interface. ... (Securiteam) - [NEWS] Siemens Santis 50 Information Disclosure
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... "The Siemens Santis 50
Wireless router is a wi-fi ADSL router. ... The mentioned routers provides a web management
interface and the classic ... (Securiteam) - [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have
been discovered in phpSysInfo allowing ... the attacker to additionally inject the
$lng parameter. ... $sensor_program can *still* be used to inject active ... (Securiteam) - [NT] Directory Traversal In CProxy
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... directory traversal attack and
thus gain access to arbitrary files located ... on the CProxy Server system. ...
filtering allows a remote attacker to gain attack to arbitrary files on ... (Securiteam)
