3com/USR Total Control Chassis termserver problem

Summary
Description:The IP filtering on these servers doesn't appear to work for dialin connections. Thus a user can dialin, get a "host:" prompt without authentication, and then type in any hostname on the internet (or intranet) to connect to. System logs incorrectly say that the connection was denied.
Author:Jason Downs <downsj@DOWNSJ.COM>
Compromise:Unauthorized access to Internet/Intranet through the terminal server
Vulnerable Systems:Those running the Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24, perhaps other versions.
Date:11 May 1998
Details


Date: Mon, 11 May 1998 13:57:44 -0700
From: Jason Downs <downsj@DOWNSJ.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: 3Com/USR Total Control Chassis dialup port access filters

Total Control Chassis' are fairly common terminal servers; when someone
dials into an ISP that's offering X2, they're most likely dialing into one.

Any such system that answers with a 'host:' or similar prompt and is running
the specified version of the OS is vulnerable.  Likely without the ISP even
knowing it.  This bug is being actively exploited.


Equipment: US Robotics/3Com Total Control Chassis
Card: Netserver PRI
OS: Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24

Details:

When a port is set to "set host prompt" the access filters are ignored
even though the specific port's ifilter is set. Access filters look like
this:

> sho filter allowed_hosts
 1 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539
 2 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23
 3 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23
 4 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540
 5 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23
 6 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030
 7 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031
 8 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513
 9 deny   0.0.0.0/0 0.0.0.0/0 ip

Filter is set with "set all ifilter allowed_hosts"

Dialup users are able to type a host name twice at the "host:" prompt which
will in turn open a telnet session to the host the user typed twice.
The results for a user doing this will show up as follows.

> sho ses

S19   woodnet.wce.wwu woodnet.wce.wwu. Login   In  ESTABLISHED     4:30


Use of this will show up in the syslogs as:

May 11 08:58:39 XXXXXX remote_access: Packet filter does not exist. User woodne
t.wce.wwu.edu access denied.

Contrary to the statement, access is not denied.


This problem does not exist on earlier versions, specifically we have tried
Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.6.22


Credit for providing the technical examples in this post goes to Doug Palin,
<doug@pacifier.com>.

--
Jason Downs
downsj@downsj.com

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: