Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: 3com2.htm

3Com/USR Total Control Chassis dialup port access filters vulnerability



Vulnerability

    3Com/USR Total Control Chassis dialup port access filters

Affected

    If you are running above

Description

    Jason Downs found  following.  Total  Control Chassis' are  fairly
    common terminal  servers; when  someone dials  into an  ISP that's
    offering  X2,  they're  most  likely  dialing  into one.  Any such
    system  that  answers  with  a  'host:'  or  similar prompt and is
    running the specified version of the OS is vulnerable.   Following
    was tested under:

        Equipment: US Robotics/3Com Total Control Chassis
        Card: Netserver PRI
        OS: Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24

    When a port  is set to  "set host prompt"  the access filters  are
    ignored even  though the  specific port's  ifilter is  set. Access
    filters look like this:

        > sho filter allowed_hosts
         1 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539
         2 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23
         3 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23
         4 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540
         5 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23
         6 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030
         7 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031
         8 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513
         9 deny   0.0.0.0/0 0.0.0.0/0 ip

    Filter is set with "set all ifilter allowed_hosts".  Dialup  users
    are able to  type a host  name twice at  the "host:" prompt  which
    will in  turn open  a telnet  session to  the host  the user typed
    twice.  The results for a user doing this will show up as follows.

        > sho ses

        S19   woodnet.wce.wwu woodnet.wce.wwu. Login   In  ESTABLISHED 4:30

    Use of this will show up in the syslogs as:

        May 11 08:58:39 XXXXXX remote_access: Packet filter does not exist.
        User woodnet.wce.wwu.edu access denied.

    Contrary  to  the  statement,  access  is  not denied.  Credit for
    providing the technical examples goes to Doug Palin.

Solution

    This  problem  does  not  exist  on earlier versions, specifically
    Total  Control  (tm)  NETServer  Card  V.34/ISDN  with Frame Relay
    V3.6.22


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH