|
|
3com Total Control Filter Bypass Vulnerability
Total Control Chassis' are fairly common terminal servers; when someone dials into an ISP that's offering X2, they're most likely dialing into one. Any such system that answers with a 'host:' or similar prompt and is running the specified version of the OS is vulnerable. When a port is set to "set host prompt" the access filters are ignored even though the specific port's ifilter is set. Access filters look like this: > sho filter allowed_hosts 1 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539 2 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23 3 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23 4 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540 5 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23 6 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030 7 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031 8 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513 9 deny 0.0.0.0/0 0.0.0.0/0 ip Filter is set with "set all ifilter allowed_hosts" Dialup users are able to type a host name twice at the "host:" prompt which will in turn open a telnet session to the host the user typed twice. The results for a user doing this will show up as follows. > sho ses S19 woodnet.wce.wwu woodnet.wce.wwu. Login In ESTABLISHED 4:30 Use of this will show up in the syslogs as: May 11 08:58:39 XXXXXX remote_access: Packet filter does not exist. User woodnet.wce.wwu.edu access denied. Contrary to the statement, access is not denied. This version has been found vulnerable: Equipment: US Robotics/3Com Total Control Chassis Card: Netserver PRI OS: Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24 This problem does not exist on earlier versions, specifically we have tried Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.6.22 |
|
Privacy Statement |