J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: 3com Total Control Filter Bypass Vulnerability

Severity: HIGH

Description:

Total Control Chassis' are fairly common terminal servers; when someone
dials into an ISP that's offering X2, they're most likely dialing into one.
Any such system that answers with a 'host:' or similar prompt and is running
the specified version of the OS is vulnerable.

When a port is set to "set host prompt" the access filters are ignored
even though the specific port's ifilter is set. Access filters look like
this:
> sho filter allowed_hosts
1 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539
2 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23
3 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23
4 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540
5 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23

6 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030
7 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031
8 permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513
9 deny 0.0.0.0/0 0.0.0.0/0 ip

Filter is set with "set all ifilter allowed_hosts"

Dialup users are able to type a host name twice at the "host:" prompt which
will in turn open a telnet session to the host the user typed twice.
The results for a user doing this will show up as follows.

> sho ses

S19 woodnet.wce.wwu woodnet.wce.wwu. Login In ESTABLISHED 4:30

Use of this will show up in the syslogs as:

May 11 08:58:39 XXXXXX remote_access: Packet filter does not exist. User
woodnet.wce.wwu.edu access denied.

Contrary to the statement, access is not denied.

This version has been found vulnerable:

Equipment: US Robotics/3Com Total Control Chassis
Card: Netserver PRI
OS: Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.7.24

This problem does not exist on earlier versions, specifically we have tried
Total Control (tm) NETServer Card V.34/ISDN with Frame Relay V3.6.22

Affected Products:

  • 3Com Total Control NETServer Card 3.7.24

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.