|
Issue : Memory leak in 3COM DSL routers Affected product : OfficeConnect Remote 812 ADSL Router Affected Firware : 1.1.7 Inmune firwamre : 1.1.9 Description : 3Com develops OfficeConnect 812 DSL routers that are widely used in Spanish ADSL lines . There is a flaw in the 1.1.7 firmware that enables an attacker able to sniff DHCP traffic to view the HTTP requests made previously by the user navigator . That allows to view HTTP identification values and form values . Every time a DHCP requests is made to the router, is answered correctly , but written over a previous HTTP request . Seems that someone forgot to initialize to a value the buffers before reusing them . If you run a sniffer and make a ipconfig /renew that's what you get ( my Ip address is obfuscated in the packet ) IP HEADER xx.xx.8.1 -> xx.xx.8.73 ------------------------------------------ IP->version: 4 IP->ihl: 5 IP->tos: 0 IP->tot_len: 604 IP->id: 27717 IP->frag_off: 0 IP->ttl: 255 IP->protocol: 17 IP->checksum: 39107 UDP HEADER ---------- UDP->sport: 67 UDP->dport: 68 UDP->ulen: 584 UDP->checksum: 58124 ----- Begin of data dump ----- 02 01 06 00 df 1e da 6d 00 00 00 00 00 00 08 49 ....¯.+m....P!.I 00 00 08 49 00 00 00 00 00 00 00 00 00 04 76 d8 P!.I..........vÏ 0a 8d 69 72 72 65 6c 6d 61 69 6c 2f 00 6d 61 67 .ìirrelmail/.mag 65 73 2f 73 6f 72 74 5f 6e 6f 6e 65 2e 70 6e 67 es/sort_none.png 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 HTTP/1.1..Accep 74 3a 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 72 3a t: */*..Referer: 20 68 74 74 70 3a 2f 2f 77 77 77 2e 00 73 61 6e http://www..san 74 69 76 69 72 75 73 2e 63 6f 6d 2f 73 71 75 69 tivirus.com/squi 72 72 65 6c 6d 61 69 6c 2f 69 6d 61 67 65 73 2f rrelmail/images/ 73 6f 72 74 5f 6e 6f 6e 65 2e 70 6e 67 0d 0a 41 sort_none.png..A 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 ccept-Language: 65 73 0d 0a 49 66 2d 4d 6f 64 69 66 69 65 64 2d es..If-Modified- 53 69 6e 63 65 3a 20 54 68 75 2c 20 31 33 20 4d Since: Thu, 13 M 61 72 20 32 30 30 33 20 31 31 3a 30 31 3a 30 39 ar 2003 11:01:09 20 47 4d 54 0d 0a 49 66 2d 4e 6f 6e 63 82 53 63 GMT..If-NoncéSc 35 01 05 36 04 50 21 08 01 33 04 00 00 00 3c 01 5..6.P!..3...... 04 ff ff ff 00 0f 0a 64 75 6d 6d 79 2e 6e 65 74 .......dummy.net 00 03 04 00 00 08 01 06 08 c2 e0 34 24 c2 e0 34 ...P!.....Ó4$.Ó4 25 2c 04 00 00 00 00 0c 06 75 6e 69 74 30 00 ff %,.......unit0.. 20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f MSIE 6.0; Windo 77 73 20 4e 54 20 35 2e 30 29 0d 0a 48 6f 73 74 ws NT 5.0)..Host 3a 20 77 77 77 2e 76 73 61 6e 74 69 76 69 72 75 : www.vsantiviru 73 2e 63 6f 6d 0d 0a 43 6f 6f 6b 69 65 3a 20 73 s.com..Cookie: s 71 75 69 72 72 65 6c 6d 61 69 6c 5f 6c 61 6e 67 quirrelmail_lang 75 61 67 65 3d 65 73 5f 45 53 3b 20 50 48 50 53 uage=es_ES; PHPS 45 53 53 49 44 3d 37 63 64 34 63 61 63 65 63 61 ESSID=7cd4caceca 38 38 32 66 36 34 37 39 33 31 62 38 35 62 32 65 882f647931b85b2e 62 62 35 39 34 34 3b 20 6b 65 79 3d 76 72 42 66 bb5944; key=vrBf 64 35 59 45 0d 0a 41 63 63 65 70 74 2d 65 6e 63 d5YE..Accept-enc 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 oding: gzip, def 6c 61 74 65 0d 0a 0d 0a 0a 0d 0a 66 6c 61 74 65 late.......flate 0d 0a 0d 0a 4f 48 78 67 48 55 72 69 74 4c 72 33 ....OHxgHUritLr3 66 34 59 4c 62 31 34 56 6d 53 43 78 33 70 56 38 f4YLb14VmSCx3pV8 67 7a 56 35 69 4e 46 42 77 61 6c 5a 76 56 64 76 gzV5iNFBwalZvVdv 6f 48 5a 37 50 68 4a 52 77 33 53 33 72 44 33 50 oHZ7PhJRw3S3rD3P 74 35 39 33 66 39 54 2b 54 52 76 4a 37 62 48 69 t593f9T+TRvJ7bHi ----- End of data dump ----- Note that this is not the vulnerability discovered by eeye ( etherleak ) , despite it has the same cause . Solution : Upgrade to the lastest version ( 1.1.9 ) You can read this advisory in spanish at http://nautopia.coolfreepages.com/vulnerabilidades/3com812_dhcp_leak.htm Regards , David F. Madrid , Madrid , Spain