Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: 3COM OfficeConnect DSL router vulneratibilities
From: James Renken <jrenken () sandwich net>
Date: Tue, 15 May 2001 14:01:25 -0700 (PDT)

This buffer overflow exploit is effective against the 3Com OfficeConnect
Remote 840 SDSL router, as well.  NorthPoint Communications (and probably
other ISPs) resold this router in some areas of the U.S.

When I tested it, the router ceased to function and its LEDs began
flashing, but it did not automatically reset - I had to disconnect and
reconnect the power cable.  I tested this with software version 1.0.7,
firmware 4.2.  (The router model number is 3c840-US.)

The unprotected adsl_pair_select and adsl_reset problems aren't present on
the 840.

3Com helpfully provides no e-mail support for this product, and their
telephone support group was unable to find any support information for
it...

-- 
James Renken, System Administrator                    jrenken () sandwich net
Sandwich.Net Internet Services      http://sandwich.net/      760-729-4609


On Tue, 15 May 2001, inc wrote:

Yesterday night I discovered a vulnerabilty. The router is a 3COM
OfficeConnect 812 and the vulnerability is on the HTTP server, on port 80.
(snip)
http://192.168.1.254/graphics/sml3com%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
s%s%s%s%s%s%s%s%s%%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s

...the router causes an NMI, red lights, flashing lights... and it's dead...
it disconnect and come online again on a minute.
(snip)
ANNEX:

http://192.168.1.254/adsl_pair_select
http://192.168.1.254/adsl_reset

Very unsecure for strangers ;-)... the server here doesnt ask for password
so you cant reset the router from the own web (and without credentials)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]