15th May 2001 [SBWID-2046]
COMMAND
3COM
SYSTEMS AFFECTED
3COM OfficeConnect DSL router
PROBLEM
"inc" found following. The router is a 3COM OfficeConnect 812
and the vulnerability is on the HTTP server, on port 80. When you
enter with a browser on one of this router, you are asked for
user/password, if you fail, you can see a web page telling you
that is a protected objetct, but you have a .GIF file you have
access to and you dont need to put the .GIF.
http://192.168.1.254/graphics/sml3com
Well... you put this, and you see the image...
Well.... lets add a long string later.
http://192.168.1.254/graphics/sml3com%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
...the router causes an NMI, red lights, flashing lights... and
it's dead... it disconnect and come online again on a minute.
3COM OfficeConnect 812 is the router that Terra (from Telefonica
Spain) puts on almost DSL connections, even for all short of
businness. They are selling now this router even when is a better
firmware (not tested yet) that maybe resolve this problem.
This buffer overflow exploit is effective against the 3Com
OfficeConnect Remote 840 SDSL router, as well. NorthPoint
Communications (and probably other ISPs) resold this router in
some areas of the U.S.
When James Renken tested it, the router ceased to function and
its LEDs began flashing, but it did not automatically reset - he
had to disconnect and reconnect the power cable. He tested this
with software version 1.0.7, firmware 4.2. (The router model
number is 3c840-US.)
The unprotected adsl_pair_select and adsl_reset problems aren't
present on the 840. 3Com helpfully provides no e-mail support
for this product, and their telephone support group was unable to
find any support information for it...
SOLUTION
Put filters to the router to the remote sites and only allow
connections to 23 and 80 from local network.