Home page logo

fulldisclosure logo Full Disclosure mailing list archives

3COM 3crwe754g72-a Information Disclosure, Logs manipulation ...
From: Cyrille Barthelemy <cb-lse () ifrance com>
Date: Mon, 18 Oct 2004 14:14:10 +0200

Title: 3com 3crwe754g72-a Information Disclosure
Class: Design Error
 3com 3crwe754g72-a 
      v 1.11
      v 1.13
      v 1.24
Id: cbsa-0000
Release Date: 2004 10 18
Author : Cyrille Barthelemy <cb-publicbox () ifrance com>

-- 1. Introduction 
3Com 3crwe754g72-a is a bundle product which provides various services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp node ...).
All services are manageable using a web interface.

This product suffers from the following vulnerability :
     - information disclosure
     - clear text information storage
     - bad authentication design

which lead to some risks :
     - password and wep key retrieval
     - administrator logout by a third party
     - log clean

-- 2. Information disclosure
The product allows only one administrator to manage the device at the same 
time, when another client connect to the interface, the device display the ip 
address of the current administrator.
The web server has an Ip based authentication, using this we can reconfigure 
our network interface to use the same ip and access to the device.

-- 3. Clear text information storage
Using the previous information, the device allow us to fetch its current 
configuration using, accessing the following URL : 

This file contain the following interestant informations (offets may vary with 
 - clear text administrator password (offset 0x68, 0xE20 and 0xE7F0)
 - clear text wep key (offset 0xDD70)
 - wep passphrase (offset 0xDDDC)

-- 4. Administrator logout
With the same technique it is possible to logout the currently logged 
administrator using

user% wget

-- 5. Log cleaning
With the same technique all traces can be erased using the command

user% w3c -post -form 

-- 6. Solution
Apply the fix released by 3com available at :

-- 8. References
   - 3com website 

-- 11. History
 - Vulnerability discovered
 - 3com contacted at security () 3com com
 - vendor response
 - patch available

-- 12. Contact information
Cyrille Barthelemy <cb-publicbox () ifrance com>
Web Site : http://www.cyrille-barthelemy.com

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • 3COM 3crwe754g72-a Information Disclosure, Logs manipulation ... Cyrille Barthelemy (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]