Denial of service in 3COM 812 DSL routers

From: David F.Madrid (conde0at_private)
Date: Wed Jul 23 2003 - 03:25:03 PDT

Next message: Arve Bersvendsen: "Vulnerability in the mail client in Opera 7.20 beta 1."

Previous message: Erwann CORVELLEC: "Re: CGI.pm vulnerable to Cross-site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Product affected : 3COM 812 OfficeConnect DSL routers_________________
   ______________________________________________________________________
Firware affected :____________________________________________________
   ______________________________________________________________________
1.1.9_________________________________________________________________
   ______________________________________________________________________
2.0 ?_________________________________________________________________
   ______________________________________________________________________
Description :_________________________________________________________
   ______________________________________________________________________
OfficeConnect is a router widely used in the world . Just in Spain ,__
Telefonica buy more than 100000 812 routers to 3COM until 2001 to_____
deploy them in his ADSL lines ._______________________________________
   ______________________________________________________________________
The router can be rebooted due to a flaw in its web administration____
interface . As no athentication is needed , every LAN user can cause__
a crash and reboot of the router , stoping internet connection for____
one or two minutes . A remote user can exploit it if the web interface
is available in the WAN interface of the router or if he can persuade_
a user to click on a link in a forum or to visit a webpage ( as_______
you can always access the web interface if the connection is local____
initiated , as is from the web browser ) .____________________________
   ______________________________________________________________________
I haven't tested this in another 812 router , but on mine the_________
buffer that holds the complete HTTP request is of 512 bytes___________
and is not checked if the lengh of the request is bigger than_________
this limit , so to reboot the router you just have to connect
to the web interface and send 512 bytes

perl -e 'print "A"x512;print "\n\n\n\n\n\n\n\n"' | netcat -v -n
192.168.0.1 80

You can read this advisory in Spanish at

http://nautopia.coolfreepages.com/vulnerabilidades/3com812_Web_DOS.htm


Regards ,

David F. Madrid ,
Madrid , Spain

Next message: Arve Bersvendsen: "Vulnerability in the mail client in Opera 7.20 beta 1."
Previous message: Erwann CORVELLEC: "Re: CGI.pm vulnerable to Cross-site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 09:21:16 PDT