Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

3COM 3crwe754g72-a Information Disclosure, Logs manipulation ...

From: Cyrille Barthelemy <cb-lse () ifrance com>
Date: Mon, 18 Oct 2004 14:14:10 +0200
Title: 3com 3crwe754g72-a Information Disclosure
Class: Design Error
Affects:
 3com 3crwe754g72-a 
      v 1.11
      v 1.13
      v 1.24
Id: cbsa-0000
Release Date: 2004 10 18
Author : Cyrille Barthelemy <cb-publicbox () ifrance com>




-- 1. Introduction 
------------------
3Com 3crwe754g72-a is a bundle product which provides various services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp node ...).
All services are manageable using a web interface.

This product suffers from the following vulnerability :
     - information disclosure
     - clear text information storage
     - bad authentication design

which lead to some risks :
     - password and wep key retrieval
     - administrator logout by a third party
     - log clean


-- 2. Information disclosure
---------------------------
The product allows only one administrator to manage the device at the same 
time, when another client connect to the interface, the device display the ip 
address of the current administrator.
The web server has an Ip based authentication, using this we can reconfigure 
our network interface to use the same ip and access to the device.


-- 3. Clear text information storage
------------------------------------
Using the previous information, the device allow us to fetch its current 
configuration using, accessing the following URL : 
'http://192.168.0.1/cgi-bin/config.bin&apos;

This file contain the following interestant informations (offets may vary with 
versions)
 - clear text administrator password (offset 0x68, 0xE20 and 0xE7F0)
 - clear text wep key (offset 0xDD70)
 - wep passphrase (offset 0xDDDC)

-- 4. Administrator logout
--------------------------
With the same technique it is possible to logout the currently logged 
administrator using

user% wget http://192.168.0.1/cgi-bin/logout.exe

-- 5. Log cleaning
------------------
With the same technique all traces can be erased using the command

user% w3c -post http://192.168.0.1/cgi-bin/statusprocess.exe -form 
"securityclear=1"


-- 6. Solution
--------------
Apply the fix released by 3com available at :
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc

-- 8. References
----------------
   - 3com website 
     http://www.3com.com/support


-- 11. History
--------------
2004-07-02.
 - Vulnerability discovered
2004-08-24
 - 3com contacted at security () 3com com
2004-09-08
 - vendor response
2004-10-14
 - patch available

-- 12. Contact information
------------------------
Cyrille Barthelemy <cb-publicbox () ifrance com>
Web Site : http://www.cyrille-barthelemy.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: