COMMAND
3Com/USR Total Control Chassis dialup port access filters
SYSTEMS AFFECTED
If you are running above
PROBLEM
Jason Downs found following. Total Control Chassis' are fairly
common terminal servers; when someone dials into an ISP that's
offering X2, they're most likely dialing into one. Any such
system that answers with a 'host:' or similar prompt and is
running the specified version of the OS is vulnerable. Following
was tested under:
Equipment: US Robotics/3Com Total Control Chassis
Card: Netserver PRI
OS: Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24
When a port is set to "set host prompt" the access filters are
ignored even though the specific port's ifilter is set. Access
filters look like this:
> sho filter allowed_hosts
1 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539
2 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23
3 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23
4 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540
5 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23
6 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030
7 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031
8 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513
9 deny 0.0.0.0/0 0.0.0.0/0 ip
Filter is set with "set all ifilter allowed_hosts". Dialup users
are able to type a host name twice at the "host:" prompt which
will in turn open a telnet session to the host the user typed
twice. The results for a user doing this will show up as follows.
> sho ses
S19 woodnet.wce.wwu woodnet.wce.wwu. Login In ESTABLISHED 4:30
Use of this will show up in the syslogs as:
May 11 08:58:39 XXXXXX remote_access: Packet filter does not exist.
User woodnet.wce.wwu.edu access denied.
Contrary to the statement, access is not denied. Credit for
providing the technical examples goes to Doug Palin.
SOLUTION
This problem does not exist on earlier versions, specifically
Total Control (tm) NETServer Card V.34/ISDN with Frame Relay
V3.6.22