|
|
====================================================
Security Research Advisory
Vulnerability name:
"3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass"
Advisory number: LC-2008-05
Advisory URL: http://www.ikkisoft.com
====================================================
1) Affected Hardware/Software
* 3CRWE554G72
(Hardware version: 3COM_AP51_v01, Software version: 1.2.0 - Nov 14,2006)
Product URL:
http://www.3com.com/products/en_US/detail.jsp?tab=features&sku=3CRWE554G72&pathtype=support
Other recent versions, as well as similar 3Com devices, may be affected
due to the shared firmware code base.
===================================================2) Severity
Severity: Medium
Local/Remote: Remote
====================================================
3) Summary
"The 3Com OfficeConnect Wireless Cable/DSL Router is a high-speed, affordable,
and easy-to-use small office solution that lets wireless and wired PCs and
laptops securely share a single broadband Internet connection."
This device is very common due to the affordable price and versatility.
For these reasons it is widely installed by large telecom providers in all Europe
(e.g. In Poland, Orange is currently deploying this device for its residential DSL).
This device is prone to an authentication bypass vulnerability which permits
to retrieve the complete system configuration as well as the services
credentials (e.g. web console, wifi network).
===================================================4) Vulnerability Details
The 3Com OfficeConnect Wireless Cable/DSL Router suffers an authentication
bypass vulnerability due to an improper authentication/authorization mechanism.
In order to manage the device, an easy to use web console is enabled by default
from the internal network and (optionally) from the Internet.
Even if the http daemon does not permit to access HTML pages and the web console
without authentication, it is still possible to invoke and execute
existent CGI programs. Unfortunately, the "System Tools-->Configuration-->Backup
Configuration" functionality saves the actual system configuration in a
persistent plain-text file named "config.bin" using a custom CGI program.
An unauthenticated user may directly invoke the "SaveCfgFile" CGI program and
easily download the system configuration containing configuration information,
users, passwords, wifi keys and other sensitive information.
Note: if the "Remote Administration" option is enabled, this vulnerability may
be exploited from the Internet as well.
Example of sensitive content within the "config.bin" file:
[...]
pppoe_username=xxxxxxxxxxxxxxx
pppoe_password=xxxxxxxxx
pppoe_service_name=xxxxxxxxx
[...]
mradius_username=xxxxxx
mradius_password=xxxxxx
mradius_secret=xxxxxxx
[...]
http_username=xxxxx
login_password=xxxxx
http_passwd=xxxxx
[...]
AuthName=xxxxxxx
AuthPassword=xxxx
snmpStatus=xxxxxxx
snmpRoCommunity=xxxxxxxx
snmpRwCommunity=xxxxxxxx
[...]
multi_dmz_wan_ip1=xxxxxxxxxx
[...]
lan_macaddr=xxxxxxxxxxxxx
[...]
Later on, looking for similar vulnerabilities in the Bugtraq database,
I've found a similar finding discovered by Patrik, cqure.net
(iDEFENSE Security Advisory 01.20.05). As far as I know and I can understand
from the firmware versions reported, this issue seems to be a further
authentication bypass technique due to an insufficient patch supplied
by the vendor.=09
====================================================
5) Exploit
Attackers may exploit this flaw through a common web browser.
http://