3com Total Control Filter Bypass Vulnerability

Total Control Chassis' are fairly common terminal servers; when someone
dials into an ISP that's offering X2, they're most likely dialing into one.
Any such system that answers with a 'host:' or similar prompt and is running
the specified version of the OS is vulnerable.

When a port is set to "set host prompt" the access filters are ignored
even though the specific port's ifilter is set. Access filters look like
this:
> sho filter allowed_hosts
1 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539
2 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23
3 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23
4 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540
5 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23

6 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030
7 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031
8 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513
9 deny 0.0.0.0/0 0.0.0.0/0 ip

Filter is set with "set all ifilter allowed_hosts"

Dialup users are able to type a host name twice at the "host:" prompt which
will in turn open a telnet session to the host the user typed twice.
The results for a user doing this will show up as follows.

> sho ses

S19 woodnet.wce.wwu woodnet.wce.wwu. Login In ESTABLISHED 4:30

Use of this will show up in the syslogs as:

May 11 08:58:39 XXXXXX remote_access: Packet filter does not exist. User
woodnet.wce.wwu.edu access denied.

Contrary to the statement, access is not denied.

This version has been found vulnerable:

Equipment: US Robotics/3Com Total Control Chassis
Card: Netserver PRI
OS: Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24

This problem does not exist on earlier versions, specifically we have tried
Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.6.22


 

Privacy Statement
Copyright 2010, SecurityFocus