[VulnWatch] iDEFENSE Security Advisory 01.20.05: 3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability

From: iDefense Customer Service (customerservice_at_idefense.com)
Date: 01/20/05

  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow"
    Date: Thu, 20 Jan 2005 17:33:57 -0500
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
    
    

    3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability

    iDEFENSE Security Advisory 01.20.05
    www.idefense.com/application/poi/display?id=188&type=vulnerabilities
    January 20, 2005

    I. BACKGROUND

    The 3Com OfficeConnect Wireless 11g Access Point provides users with
    access to network resources, the Internet, and e-mail at speeds up to
    54 Mbps and at distances up to 100 meters (328 feet). More information
    about the product is available at

        http://www.3com.com/products/en_US/detail.jsp?tab=features
            &pathtype=purchase&sku=3CRWE454G72

    II. DESCRIPTION

    Remote exploitation of an input validation vulnerability in 3Com Corp.'s
    OfficeConnect Wireless 11g Access Point allows attackers to glean
    sensitive router information.

    The 3Com OfficeConnect Wireless 11g Access Point (AP) provides an
    administrative interface via a web server accessible on port 80. This
    interface is exposed by default on the internal ethernet interface and
    the wireless interface, and it is also possible to expose it on the
    external ethernet interface. The problem specifically exists due to
    insufficient privilege checks when accessing various URLs without going
    through the formal logon process. An unauthenticated attacker can glean
    sensitive information from the device via the following URLs:

        /main/config.bin
        /main/profile.wlp?PN=ggg
        /main/event.logs

    These URLs will expose the administrative username and password in clear
    text, the WEP key and SSID, and the router log file respectively.

    III. ANALYSIS

    Successful exploitation allows remote attackers to glean sensitive
    router information, allowing the attacker to gain full control of the
    device. Compromise of the Access Point (AP) allows an attacker to
    potentially redirect traffic, access nodes behind the AP that are
    otherwise unaddressable and potentially monitor traffic from a remote
    location. This can lead to further compromise of other computers.

    IV. DETECTION

    It has been reported that firmware version 1.00.08 shipped on the 3Com
    OfficeConnect Wireless 11g Access Point is vulnerable. It is suspected
    that earlier versions are also vulnerable.

    V. WORKAROUND

    iDEFENSE is currently unaware of any workarounds for this issue.

    VI. VENDOR RESPONSE

    Firmware version 1.03.07A for 3CRWE454G72 has been released to addresses
    the vulnerability.

       http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt
          &order=desc&sku=3CRWE454G72

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    names CAN-2005-0112 to these issues. This is a candidate for inclusion
    in the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.

    VIII. DISCLOSURE TIMELINE

    12/21/2004 Initial vendor notification - No response
    01/06/2005 Secondary vendor notification
    01/07/2005 Initial vendor response
    01/20/2004 Public disclosure

    IX. CREDIT

    Patrik, cqure.net is credited with this discovery.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.


  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow"

    Relevant Pages