Home page logo

fulldisclosure logo Full Disclosure mailing list archives

3COM 3crwe754g72-a Administration interface code injection (DHCP)
From: Cyrille Barthelemy <cb-publicbox () ifrance com>
Date: Mon, 18 Oct 2004 14:17:48 +0200

Title: 3COM 3crwe754g72-a Administration interface code injection
Class: Design error
 3com 3crwe754g72-a 
      v 1.11
      v 1.13
      v 1.24
Id: cbsa-0001
Release Date: 2004-10-18
Author : Cyrille Barthelemy <cb-publicbox () ifrance com>

-- 1. Introduction 
3Com 3crwe754g72-a is a bundle product which provides misc services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp agent ...).
All services are manageable using a web interface.

As reported in a previous advisory this product suffer from various 
vulnerability. The way DHCP REQUEST are handled allow an attacker to inject
code into the administration interface.

-- 2. Problem
The web interface used to administrate the router display a list of the DHCP
client with the following informations :
       - ip address allocated
       - hostname
       - MAC address
The second information can be submitted by a client using DHCP options, and no
content filtering will be done by the dhcp daemon or the web interface.

-- 3. Exploitation
The exploitation can be made using the DHCPing program with the following 

root# dhcping -opttype 'REQUEST' -opthostname '<h1>Oops</h1>' -z

The injection seems is limited to 20 characters, but this limitation can be 
bypassed using the same technique descrubed by Gregory Duchemin (see 

-- 4. Solution
Apply the firmware upgrade available at 3com support site :

-- 5. References
   - 3com website 

   - DHCPing web site 

   - DLINK 614+, script injection vulnerability

-- 10. History
 - Vulnerability discovered
 - 3com contacted at security () 3com com
 - vendor response
 - patch available

-- 11. Contact information
Cyrille Barthelemy <cb-publicbox () ifrance com>
Web Site : http://www.cyrille-barthelemy.com

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • 3COM 3crwe754g72-a Administration interface code injection (DHCP) Cyrille Barthelemy (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]