COMMAND

    3COM

SYSTEMS AFFECTED

    3COM OfficeConnect DSL router

PROBLEM

    "inc" found  following.   The router  is a  3COM OfficeConnect 812
    and the vulnerability is on the HTTP server, on port 80.  When you
    enter with  a browser  on one  of this  router, you  are asked for
    user/password, if  you fail,  you can  see a  web page telling you
    that is a  protected objetct, but  you have a  .GIF file you  have
    access to and you dont need to put the .GIF.

        http://192.168.1.254/graphics/sml3com

    Well... you put this, and you see the image...

    Well.... lets add a long string later.

        http://192.168.1.254/graphics/sml3com%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

    ...the router causes  an NMI, red  lights, flashing lights...  and
    it's dead...  it disconnect and come online again on a minute.

    3COM OfficeConnect 812 is  the router that Terra  (from Telefonica
    Spain)  puts  on  almost  DSL  connections,  even for all short of
    businness.  They are selling now this router even when is a better
    firmware (not tested yet) that maybe resolve this problem.

    This  buffer  overflow  exploit  is  effective  against  the  3Com
    OfficeConnect  Remote  840  SDSL  router,  as  well.    NorthPoint
    Communications (and  probably other  ISPs) resold  this router  in
    some areas of the U.S.

    When James  Renken tested  it, the  router ceased  to function and
    its LEDs began flashing, but  it did not automatically reset  - he
    had to disconnect and reconnect  the power cable.  He  tested this
    with  software  version  1.0.7,  firmware  4.2.  (The router model
    number is 3c840-US.)

    The unprotected  adsl_pair_select and  adsl_reset problems  aren't
    present on  the 840.   3Com helpfully  provides no  e-mail support
    for this product, and their telephone support group was unable  to
    find any support information for it...

SOLUTION

    Put  filters  to  the  router  to  the remote sites and only allow
    connections to 23 and 80 from local network.