Re: TB2 Pro sending NT passwords cleartext

[tbenzion () NETOPIA COM (tbenzion () NETOPIA COM)]

My name is Tal Benzion and I'm on the product management team for Timbuktu
Pro at Netopia.  I'm writing you in regards to your
latest
cleartext posting about Timbuktu cleartext vulnerabilities on security
focus.

Although Timbuktu Pro has always encrypted the passwords used to actually
authenticate the remote control session,
prior versions did not encrypt the remote control data stream
because Netopia's proprietary graphic protocol is complicated
enough to prohibit the decoding and display of data.  However,
since data typed during the remote control session was only hidden
to the extent that the keystrokes were randomly commingled with
other upstream data, these keystrokes were, technically, clear text,
and a potential security hole.

Netopia has now added a security enhancement, available in the current
release of
the Timbuktu Pro Enterprise Edition as well as Timbuktu Pro 2000, which
dynamically scrambles and encodes
all
keyboard and mouse data that is sent from the guest to the host
machine on a per session basis.  Based on customer feedback
regarding performance, complexity and the cost issues of
implementing full standards based PKI security solutions, we believe
that our current solution offers the best balance between security
and performance at the application level. Our position has always been that
a proper encryption program focuses on all transmissions across the network
and that in the long run customers are better served to implement an
umbrella encryption strategy.

As with all aspects of the Enterprise suite, we
remain committed to continuing improvement, and are working with
various security vendors to develop ways to simplify the deployment
and maintenance of an even more comprehensive security solution.

Regards,

Tal Benzion

It also, last I check, used UDP, so it is certainly not "fully compatible with
any third party LAN based encryption scheme" - can you say SSH.
Bill

David Masten wrote:

<FONT COLOR="#222255">> Timbuktu Pro 32 (TB2)from Netopia sends user IDs and 
passwords in clear</FONT>
<FONT COLOR="#222255">> text.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> When TB2 is used to remote control a machine that is 
not logged in or is</FONT>
<FONT COLOR="#222255">> locked, any user ID and password that is typed in is 
sent in clear text. A</FONT>
<FONT COLOR="#222255">> malicious user on the network can "sniff" the packets 
and gain the NT User</FONT>
<FONT COLOR="#222255">> IDs and passwords of any one using TB2 to remotely 
control a NT machine.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Versions Tested:</FONT>
<FONT COLOR="#222255">> Timbuktu Pro 32 2.0 build 650</FONT>
<FONT COLOR="#222255">> Timbuktu Pro 32 3.0 build 30759</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Vendor Status: Vendor has been notified and either does 
not appear willing</FONT>
<FONT COLOR="#222255">> to correct, or does not understand the 
implications.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Exploit:</FONT>
<FONT COLOR="#222255">> 1. Start your favorite sniffer on the same network 
segment as either the</FONT>
<FONT COLOR="#222255">> controlled machine or the controlling machine.</FONT>
<FONT COLOR="#222255">> 2. Remote control an NT machine that is either locked 
or not logged in.</FONT>
<FONT COLOR="#222255">> 3. Log in to that machine.</FONT>
<FONT COLOR="#222255">> 4. Stop the sniffer</FONT>
<FONT COLOR="#222255">> 5. Search the sniffer output file for TCP packets to 
the controlled machine</FONT>
<FONT COLOR="#222255">> on port 1417, having a data length of 7, and containing 
the hex sequence 05</FONT>
<FONT COLOR="#222255">> 00 3E in the first three bytes of data. The fourth byte 
is the upper case of</FONT>
<FONT COLOR="#222255">> the letter that was typed.</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Workaround:</FONT>
<FONT COLOR="#222255">> 1. Do not use TB2 to control machines that are not 
logged in.</FONT>
<FONT COLOR="#222255">> 2. (From Netopia) "One possible solution, depending on 
your environment,</FONT>
<FONT COLOR="#222255">> might include establishing a VPN. Since Timbuktu Pro is 
a set of services</FONT>
<FONT COLOR="#222255">> that runs on top of the protocol layer, it is fully 
compatible with any</FONT>
<FONT COLOR="#222255">> third party LAN based encryption schemes (Virtual 
Private Networks) or</FONT>
<FONT COLOR="#222255">> connection protocols such as PPTP" (I do not see this 
as a viable solution</FONT>
<FONT COLOR="#222255">> for their current target market, which is firms needing 
to centralize IT</FONT>
<FONT COLOR="#222255">> staff while maintaining de-centralized systems.)</FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> David Masten</FONT>
<FONT COLOR="#222255">> DM InfoSec</FONT>
<FONT COLOR="#222255">> <A 
HREF="mailto:dmasten () dminfosec com">dmasten () dminfosec com</A></FONT>
<FONT COLOR="#222255">> 440-725-1401</FONT>