Re: Improper Authentication Mechanism in 3Com Wireless8760 Dual Radio 11a/b/g Poe Access Point

[Tom Neaves <tom () tomneaves co uk>]

Hi Yossi,

Are you doing something funky with your IP address, e.g., NAT'ed/short DHCP
lease?  The reason I ask is because in 2008, Adrian Pastor stated
authentication in the 3Com Wireless 8760 was linked to the source IP
address [1].  It may well be the case (as you have discovered) that it
allows arbitrary IP addresses to access the config once an administrator
has authentication... However, I just wanted to hit this badboy up incase
there was some confusion.

Cheers,

Tom

[1] http://securityreason.com/wlb_show/WLB-2008110039

On Tue, 15 Sep 2009 22:27:31 +0300, Yossi Yakubov <yos20053 () gmail com>
wrote:
> Hi
> My name is Yossi Yakubov and i am a security researcher. Recently me
> and my collegues found the following vulnerability in the 3Com
> Wireless8760 web administration interface:
>
> If one user is authenticated to the web interface, other users can
> access to internal pages without further authentication. That means
> that  one opened Session  is enough  between the user and web
> administration , and other users can also access to the web
> administration interface.
>
> Malicious user can wait until ones logins to the interface and then he
> can access and administer  3Com Wireless8760 Access Point without
> further authentication. Among different operations the malicious user
> can cause to Denial of Service (Dos) attack to the entire network by
> changing the configuration such as IP addresses.
>
> FYI
>
> Waiting for your review
>
> Best Regards
>
> Yossi Yakubov