Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router

From: Ismael Briones (ismael@el-mundo.net)
Date: Mon May 27 2002 - 09:02:29 PDT

Next message: quentynat_private: "Netscreen 25 unauthorised reboot issue"

Previous message: hkvrg thdftghr: "VP-ASP shopping cart software."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title:         Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router
Date:        27-05-2002
Impact:     A vulnerability in PAT (Port Address Translation) allow access to
               all ports in the computer behind the router.
Author:     Ismael Briones Vilar (ismael@el-mundo.net)


PROBLEM SUMMARY:

    There is a problem in PAT(Port Address Translation) that can be used to
access all ports in the computer behind the router. When we try to connect to
a port that is not redirected to a computer behind the router using PAT,
there is no problem, the router don't allow this connection. But if before we
connect to a port redirected using PAT and inmediately we try to connect to
any port not redirected using PAT, the router allows the successive
connections to any port. The problem exists with TCP and with UDP.

     Probed in firmware versions:  V1.1.9 and V1.1.7 for the OCR812. For
     customers of SKU's 3CP4144  (Telefónica S.A. (Spain) use this model for
     DSL)

IMPACT:

   Allow access to all ports in the computer behind the router. If you find a
   port redirected using PAT, you can access all ports, make scans,..... and
   all you can imagine.

SOLUTION:

   Use firewalls in the computers behind the router or wait for a firmware
update   ;-)

STATUS:

   I have been searching 3Com web for an email to submit this bug, but i
haven't find any reference to security advisories. So i have decided to send
the advisorie to bugtraq first.



Special Thanks to: Pask, J.M. Gomez, Manolo and Morales.

- -- 
- --------------------------------------------------
Ismael Briones Vilar		Mundinteractivos - El Mundo      
Area de Internet		Pradillo, 42                     
ismael@el-mundo.net		28002 - Madrid (SPAIN, EU)       
http://www.elmundo.es/		Tel: (+34) 915864800 (Ext: 4615) 
				Fax: (+34) 915864480
- --------------------------------------------------
GPG PubKey:
fingerprint: 8FD8 1450 29AC 5B5F 4186  0417 B67A 978F 281C D54F
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0x281CD54F
- --------------------------------------------------

"Technically, Windows is an 'operating system,' which means that 
it supplies your computer with the basic commands that it needs 
to suddenly, with no warning whatsoever, stop operating."
						Dave Barry

"Good artists copy, great artists steal."    
		      Pablo Picasso


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE88liYtnqXjygc1U8RAivlAJ9xqUIbtWagqvTIEknJkranCbc6oACffbRB
gVyScjBN7d4Wj0Rf9kZoG5U=
=vg59
-----END PGP SIGNATURE-----

Next message: quentynat_private: "Netscreen 25 unauthorised reboot issue"
Previous message: hkvrg thdftghr: "VP-ASP shopping cart software."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 27 2002 - 10:10:16 PDT