Issue :

Memory leak in 3COM DSL routers

Affected product :

OfficeConnect Remote 812 ADSL Router

Affected Firware :

1.1.7

Inmune firwamre :

1.1.9

Description :

3Com develops OfficeConnect 812 DSL routers that are widely used in
Spanish ADSL lines . There is a flaw in the 1.1.7 firmware that enables an
attacker able to sniff DHCP traffic to view the HTTP requests made
previously by the user navigator . That allows to view HTTP identification
values and form values .
Every time a DHCP requests is made to the router,  is answered correctly ,
but written over a previous HTTP request . Seems that someone forgot to
initialize to a value the buffers before reusing them . If you run a
sniffer and make a ipconfig /renew that's what you get ( my Ip address is
obfuscated in the packet )
IP HEADER xx.xx.8.1 -> xx.xx.8.73
------------------------------------------
 IP->version: 4
 IP->ihl: 5
 IP->tos: 0
 IP->tot_len: 604
 IP->id: 27717
 IP->frag_off: 0
 IP->ttl: 255
 IP->protocol: 17
 IP->checksum: 39107
UDP HEADER
----------
 UDP->sport: 67
 UDP->dport: 68
 UDP->ulen: 584
 UDP->checksum: 58124

----- Begin of data dump -----
02 01 06 00 df 1e da 6d 00 00 00 00 00 00 08 49  ....¯.+m....P!.I
00 00 08 49 00 00 00 00 00 00 00 00 00 04 76 d8  P!.I..........vÏ
0a 8d 69 72 72 65 6c 6d 61 69 6c 2f 00 6d 61 67  .ìirrelmail/.mag
65 73 2f 73 6f 72 74 5f 6e 6f 6e 65 2e 70 6e 67  es/sort_none.png
20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70   HTTP/1.1..Accep
74 3a 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 72 3a  t: */*..Referer:
20 68 74 74 70 3a 2f 2f 77 77 77 2e 00 73 61 6e   http://www..san
74 69 76 69 72 75 73 2e 63 6f 6d 2f 73 71 75 69  tivirus.com/squi
72 72 65 6c 6d 61 69 6c 2f 69 6d 61 67 65 73 2f  rrelmail/images/
73 6f 72 74 5f 6e 6f 6e 65 2e 70 6e 67 0d 0a 41  sort_none.png..A
63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20  ccept-Language:
65 73 0d 0a 49 66 2d 4d 6f 64 69 66 69 65 64 2d  es..If-Modified-
53 69 6e 63 65 3a 20 54 68 75 2c 20 31 33 20 4d  Since: Thu, 13 M
61 72 20 32 30 30 33 20 31 31 3a 30 31 3a 30 39  ar 2003 11:01:09
20 47 4d 54 0d 0a 49 66 2d 4e 6f 6e 63 82 53 63   GMT..If-NoncéSc
35 01 05 36 04 50 21 08 01 33 04 00 00 00 3c 01  5..6.P!..3......
04 ff ff ff 00 0f 0a 64 75 6d 6d 79 2e 6e 65 74  .......dummy.net
00 03 04 00 00 08 01 06 08 c2 e0 34 24 c2 e0 34  ...P!.....Ó4$.Ó4
25 2c 04 00 00 00 00 0c 06 75 6e 69 74 30 00 ff  %,.......unit0..
20 4d 53 49 45 20 36 2e 30 3b 20 57 69 6e 64 6f   MSIE 6.0; Windo
77 73 20 4e 54 20 35 2e 30 29 0d 0a 48 6f 73 74  ws NT 5.0)..Host
3a 20 77 77 77 2e 76 73 61 6e 74 69 76 69 72 75  : www.vsantiviru
73 2e 63 6f 6d 0d 0a 43 6f 6f 6b 69 65 3a 20 73  s.com..Cookie: s
71 75 69 72 72 65 6c 6d 61 69 6c 5f 6c 61 6e 67  quirrelmail_lang
75 61 67 65 3d 65 73 5f 45 53 3b 20 50 48 50 53  uage=es_ES; PHPS
45 53 53 49 44 3d 37 63 64 34 63 61 63 65 63 61  ESSID=7cd4caceca
38 38 32 66 36 34 37 39 33 31 62 38 35 62 32 65  882f647931b85b2e
62 62 35 39 34 34 3b 20 6b 65 79 3d 76 72 42 66  bb5944; key=vrBf
64 35 59 45 0d 0a 41 63 63 65 70 74 2d 65 6e 63  d5YE..Accept-enc
6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66  oding: gzip, def
6c 61 74 65 0d 0a 0d 0a 0a 0d 0a 66 6c 61 74 65  late.......flate
0d 0a 0d 0a 4f 48 78 67 48 55 72 69 74 4c 72 33  ....OHxgHUritLr3
66 34 59 4c 62 31 34 56 6d 53 43 78 33 70 56 38  f4YLb14VmSCx3pV8
67 7a 56 35 69 4e 46 42 77 61 6c 5a 76 56 64 76  gzV5iNFBwalZvVdv
6f 48 5a 37 50 68 4a 52 77 33 53 33 72 44 33 50  oHZ7PhJRw3S3rD3P
74 35 39 33 66 39 54 2b 54 52 76 4a 37 62 48 69  t593f9T+TRvJ7bHi
----- End of data dump -----


Note that this is not the vulnerability discovered by eeye ( etherleak ) ,
despite it has the same cause .
Solution :

Upgrade to the lastest version ( 1.1.9 )


You can read this advisory in spanish at

http://nautopia.coolfreepages.com/vulnerabilidades/3com812_dhcp_leak.htm

Regards ,

David F. Madrid ,
Madrid , Spain