[Full-Disclosure] 3COM 3crwe754g72-a Administration interface code injection (DHCP)

2004-10-18T00:00:00
ID SECURITYVULNS:DOC:7035
Type securityvulns
Reporter Securityvulns
Modified 2004-10-18T00:00:00

Description

Title: 3COM 3crwe754g72-a Administration interface code injection Class: Design error Affects: 3com 3crwe754g72-a v 1.11 v 1.13 v 1.24 Id: cbsa-0001 Release Date: 2004-10-18 Author : Cyrille Barthelemy <cb-publicbox@ifrance.com>

-- 1. Introduction

3Com 3crwe754g72-a is a bundle product which provides misc services (adsl modem, 802.11b/g access point, router, dhcp server, snmp agent ...). All services are manageable using a web interface.

As reported in a previous advisory this product suffer from various vulnerability. The way DHCP REQUEST are handled allow an attacker to inject code into the administration interface.

-- 2. Problem

The web interface used to administrate the router display a list of the DHCP client with the following informations : - ip address allocated - hostname - MAC address The second information can be submitted by a client using DHCP options, and no content filtering will be done by the dhcp daemon or the web interface.

-- 3. Exploitation

The exploitation can be made using the DHCPing program with the following invocation:

root# dhcping -opttype 'REQUEST' -opthostname '<h1>Oops</h1>' -z

The injection seems is limited to 20 characters, but this limitation can be bypassed using the same technique descrubed by Gregory Duchemin (see References)

-- 4. Solution

Apply the firmware upgrade available at 3com support site : http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc

-- 5. References

  • 3com website http://www.3com.com

  • DHCPing web site http://dhcping.openwall.net

  • DLINK 614+, script injection vulnerability http://securityfocus.com/archive/1/366615/2004-06-21/2004-06-27/0

-- 10. History

2004-07-02. - Vulnerability discovered 2004-08-24 - 3com contacted at security@3com.com 2004-09-08 - vendor response 2004-10-14 - patch available

-- 11. Contact information

Cyrille Barthelemy <cb-publicbox@ifrance.com> Web Site : http://www.cyrille-barthelemy.com


Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html