Title: 3COM 3crwe754g72-a Administration interface code injection Class: Design error Affects: 3com 3crwe754g72-a v 1.11 v 1.13 v 1.24 Id: cbsa-0001 Release Date: 2004-10-18 Author : Cyrille Barthelemy <firstname.lastname@example.org>
3Com 3crwe754g72-a is a bundle product which provides misc services (adsl modem, 802.11b/g access point, router, dhcp server, snmp agent ...). All services are manageable using a web interface.
As reported in a previous advisory this product suffer from various vulnerability. The way DHCP REQUEST are handled allow an attacker to inject code into the administration interface.
The web interface used to administrate the router display a list of the DHCP client with the following informations : - ip address allocated - hostname - MAC address The second information can be submitted by a client using DHCP options, and no content filtering will be done by the dhcp daemon or the web interface.
The exploitation can be made using the DHCPing program with the following invocation:
root# dhcping -opttype 'REQUEST' -opthostname '<h1>Oops</h1>' -z
The injection seems is limited to 20 characters, but this limitation can be bypassed using the same technique descrubed by Gregory Duchemin (see References)
Apply the firmware upgrade available at 3com support site : http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc
3com website http://www.3com.com
DHCPing web site http://dhcping.openwall.net
DLINK 614+, script injection vulnerability http://securityfocus.com/archive/1/366615/2004-06-21/2004-06-27/0
2004-07-02. - Vulnerability discovered 2004-08-24 - 3com contacted at email@example.com 2004-09-08 - vendor response 2004-10-14 - patch available
Cyrille Barthelemy <firstname.lastname@example.org> Web Site : http://www.cyrille-barthelemy.com
Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html