[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Improper Authentication Mechanism in 3Com Wireless8760 Dual Radio 11a/b/g Poe Access Point
- To: Yossi Yakubov <yos20053@xxxxxxxxx>
- Subject: Re: Improper Authentication Mechanism in 3Com Wireless8760 Dual Radio 11a/b/g Poe Access Point
- From: Tom Neaves <tom@xxxxxxxxxxxxxxx>
- Date: Tue, 15 Sep 2009 22:49:21 +0100
Hi Yossi,
Are you doing something funky with your IP address, e.g., NAT'ed/short DHCP
lease? The reason I ask is because in 2008, Adrian Pastor stated
authentication in the 3Com Wireless 8760 was linked to the source IP
address [1]. It may well be the case (as you have discovered) that it
allows arbitrary IP addresses to access the config once an administrator
has authentication... However, I just wanted to hit this badboy up incase
there was some confusion.
Cheers,
Tom
[1] http://securityreason.com/wlb_show/WLB-2008110039
On Tue, 15 Sep 2009 22:27:31 +0300, Yossi Yakubov <yos20053@xxxxxxxxx>
wrote:
> Hi
> My name is Yossi Yakubov and i am a security researcher. Recently me
> and my collegues found the following vulnerability in the 3Com
> Wireless8760 web administration interface:
>
> If one user is authenticated to the web interface, other users can
> access to internal pages without further authentication. That means
> that one opened Session is enough between the user and web
> administration , and other users can also access to the web
> administration interface.
>
> Malicious user can wait until ones logins to the interface and then he
> can access and administer 3Com Wireless8760 Access Point without
> further authentication. Among different operations the malicious user
> can cause to Denial of Service (Dos) attack to the entire network by
> changing the configuration such as IP addresses.
>
> FYI
>
> Waiting for your review
>
> Best Regards
>
> Yossi Yakubov