Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Part II: Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router

From: Ismael Briones <ismael () el-mundo net>
Date: Wed, 12 Jun 2002 19:17:11 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


TITLE: A more detailed description of 3Com ® OfficeConnect® Remote 812 ADSL
Router

DESCRIPTION: A big description of the vulnerability, Status and Solutions.
I send this mail to explain the real problem and the solutions to all these 
people that were interested in the bug.

Thanks to all people that has sent me a email with theirs experienced

PROBLEM SUMMARY:

        In the previous mail, I advertised about a problem in PAT(Port 
Address Translation) that can be used to access all ports in the computer 
behind the router. educm () softhome net inform me about a feature called iNAT 
or iPAT (Intelligent NAT/PAT. I think this should be called Stupid NAT/PAT).
        With this feature, when a connection is established from a computer 
behind the router with a remote computer, the router redirects all the 
connections from the remote computer to the computer that initiate the 
connection behind the router, even if the ports aren't redirected whith PAT.
        Somebody from 3Com Europe sent me a mail with the same explanation, 
and write a text extracted from 812CLI (Version 2.0) documentation (see 
attachment). But iNAT/PAT really has a bug.

BUG:
        When we try to connect to a port that is not redirected to a computer 
behind the router using iPAT, there is no problem, the router doesn't allow 
this connection. But if before we connect to a port redirected using iPAT and 
inmediately we try to connect to any port not redirected using iPAT, the 
router allows the successive connections to any port, redirecting the 
connections to the internal computer. The problem exists with TCP and with 
UDP. The problem exists when iPAT is enable (It is enable by default) and it 
isn't a feature, it is a bug.
A lot of people sent me mails saying that this is a feature called iNAT, but 
the iNAT isn't working as it should.

SOLUTIONS:

        Disable iNAT/PAT (Caution: Some programs, like NetMeeting may not 
work). There is an unoficial version of the firmware (version 2.1.2) at 
http://www.adslnet.ws/ ( http://es.geocities.com/doelgroup/mr020102.zip ) 
that seems not to have the bug. If somebody tries it, make me know, 
please.


- -- 
- --------------------------------------------------
Ismael Briones Vilar            Mundinteractivos - El Mundo      
Area de Internet                Pradillo, 42                     
ismael () el-mundo net          28002 - Madrid (SPAIN, EU)       
http://www.elmundo.es/          Tel: (+34) 915864800 (Ext: 4615) 
                                Fax: (+34) 915864480
- --------------------------------------------------
GPG PubKey:
fingerprint: 8FD8 1450 29AC 5B5F 4186  0417 B67A 978F 281C D54F
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0x281CD54F
- --------------------------------------------------

"Este negocio, es un organismo vivo. Se multiplica sin cesar
rodeado por depredadores. No hay cabida para tiempo ocioso ni vacilaciones.
Nuevos descubrimientos nos inundan, nuevas ideas, listas para ser devoradas,
redefinidas. Este negocio en binario. Eres un uno o un cero, vives o 
mueres...."
                                        Gary Winston (AntiTrust)

"Good artists copy, great artists steal."    
                      Pablo Picasso


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9B4IatnqXjygc1U8RAu/QAKCfF8K299YHckLKa6MYVWHRORXFHwCfR+xy
/fm65CLKYVDrz04gR1hFO34=
=f5/8
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: