Title: 3com 3crwe754g72-a Information Disclosure
Class: Design Error
Affects:
 3com 3crwe754g72-a 
      v 1.11
      v 1.13
      v 1.24
Id: cbsa-0000
Release Date: 2004 10 18
Author : Cyrille Barthelemy <cb-publicbox@ifrance.com>




-- 1. Introduction 
------------------
3Com 3crwe754g72-a is a bundle product which provides various services
(adsl modem, 802.11b/g access point, router, dhcp server, snmp node ...).
All services are manageable using a web interface.

This product suffers from the following vulnerability :
     - information disclosure
     - clear text information storage
     - bad authentication design

which lead to some risks :
     - password and wep key retrieval
     - administrator logout by a third party
     - log clean


-- 2. Information disclosure
---------------------------
The product allows only one administrator to manage the device at the same 
time, when another client connect to the interface, the device display the ip 
address of the current administrator.
The web server has an Ip based authentication, using this we can reconfigure 
our network interface to use the same ip and access to the device.


-- 3. Clear text information storage
------------------------------------
Using the previous information, the device allow us to fetch its current 
configuration using, accessing the following URL : 
'http://192.168.0.1/cgi-bin/config.bin'

This file contain the following interestant informations (offets may vary with 
versions)
 - clear text administrator password (offset 0x68, 0xE20 and 0xE7F0)
 - clear text wep key (offset 0xDD70)
 - wep passphrase (offset 0xDDDC)

-- 4. Administrator logout
--------------------------
With the same technique it is possible to logout the currently logged 
administrator using

user% wget http://192.168.0.1/cgi-bin/logout.exe

-- 5. Log cleaning
------------------
With the same technique all traces can be erased using the command

user% w3c -post http://192.168.0.1/cgi-bin/statusprocess.exe -form 
"securityclear=1"


-- 6. Solution
--------------
Apply the fix released by 3com available at :
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRWE754G72-A&order=desc

-- 8. References
----------------
   - 3com website 
     http://www.3com.com/support


-- 11. History
--------------
2004-07-02.
 - Vulnerability discovered
2004-08-24
 - 3com contacted at security@3com.com
2004-09-08
 - vendor response
2004-10-14
 - patch available

-- 12. Contact information
------------------------
Cyrille Barthelemy <cb-publicbox@ifrance.com>
Web Site : http://www.cyrille-barthelemy.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html