Bugtraq mailing list archives
Re: TB2 Pro sending NT passwords cleartext
From: tbenzion () NETOPIA COM (tbenzion () NETOPIA COM)
Date: Tue, 11 Apr 2000 23:23:47 -0000
My name is Tal Benzion and I'm on the product management team for Timbuktu Pro at Netopia. I'm writing you in regards to your latest cleartext posting about Timbuktu cleartext vulnerabilities on security focus. Although Timbuktu Pro has always encrypted the passwords used to actually authenticate the remote control session, prior versions did not encrypt the remote control data stream because Netopia's proprietary graphic protocol is complicated enough to prohibit the decoding and display of data. However, since data typed during the remote control session was only hidden to the extent that the keystrokes were randomly commingled with other upstream data, these keystrokes were, technically, clear text, and a potential security hole. Netopia has now added a security enhancement, available in the current release of the Timbuktu Pro Enterprise Edition as well as Timbuktu Pro 2000, which dynamically scrambles and encodes all keyboard and mouse data that is sent from the guest to the host machine on a per session basis. Based on customer feedback regarding performance, complexity and the cost issues of implementing full standards based PKI security solutions, we believe that our current solution offers the best balance between security and performance at the application level. Our position has always been that a proper encryption program focuses on all transmissions across the network and that in the long run customers are better served to implement an umbrella encryption strategy. As with all aspects of the Enterprise suite, we remain committed to continuing improvement, and are working with various security vendors to develop ways to simplify the deployment and maintenance of an even more comprehensive security solution. Regards, Tal Benzion It also, last I check, used UDP, so it is certainly not "fully compatible with any third party LAN based encryption scheme" - can you say SSH. Bill David Masten wrote: <FONT COLOR="#222255">> Timbuktu Pro 32 (TB2)from Netopia sends user IDs and passwords in clear</FONT> <FONT COLOR="#222255">> text.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> When TB2 is used to remote control a machine that is not logged in or is</FONT> <FONT COLOR="#222255">> locked, any user ID and password that is typed in is sent in clear text. A</FONT> <FONT COLOR="#222255">> malicious user on the network can "sniff" the packets and gain the NT User</FONT> <FONT COLOR="#222255">> IDs and passwords of any one using TB2 to remotely control a NT machine.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> Versions Tested:</FONT> <FONT COLOR="#222255">> Timbuktu Pro 32 2.0 build 650</FONT> <FONT COLOR="#222255">> Timbuktu Pro 32 3.0 build 30759</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> Vendor Status: Vendor has been notified and either does not appear willing</FONT> <FONT COLOR="#222255">> to correct, or does not understand the implications.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> Exploit:</FONT> <FONT COLOR="#222255">> 1. Start your favorite sniffer on the same network segment as either the</FONT> <FONT COLOR="#222255">> controlled machine or the controlling machine.</FONT> <FONT COLOR="#222255">> 2. Remote control an NT machine that is either locked or not logged in.</FONT> <FONT COLOR="#222255">> 3. Log in to that machine.</FONT> <FONT COLOR="#222255">> 4. Stop the sniffer</FONT> <FONT COLOR="#222255">> 5. Search the sniffer output file for TCP packets to the controlled machine</FONT> <FONT COLOR="#222255">> on port 1417, having a data length of 7, and containing the hex sequence 05</FONT> <FONT COLOR="#222255">> 00 3E in the first three bytes of data. The fourth byte is the upper case of</FONT> <FONT COLOR="#222255">> the letter that was typed.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> Workaround:</FONT> <FONT COLOR="#222255">> 1. Do not use TB2 to control machines that are not logged in.</FONT> <FONT COLOR="#222255">> 2. (From Netopia) "One possible solution, depending on your environment,</FONT> <FONT COLOR="#222255">> might include establishing a VPN. Since Timbuktu Pro is a set of services</FONT> <FONT COLOR="#222255">> that runs on top of the protocol layer, it is fully compatible with any</FONT> <FONT COLOR="#222255">> third party LAN based encryption schemes (Virtual Private Networks) or</FONT> <FONT COLOR="#222255">> connection protocols such as PPTP" (I do not see this as a viable solution</FONT> <FONT COLOR="#222255">> for their current target market, which is firms needing to centralize IT</FONT> <FONT COLOR="#222255">> staff while maintaining de-centralized systems.)</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> David Masten</FONT> <FONT COLOR="#222255">> DM InfoSec</FONT> <FONT COLOR="#222255">> <A HREF="mailto:dmasten () dminfosec com">dmasten () dminfosec com</A></FONT> <FONT COLOR="#222255">> 440-725-1401</FONT>
Current thread:
- Re: TB2 Pro sending NT passwords cleartext tbenzion () NETOPIA COM (Apr 11)
- Re: TB2 Pro sending NT passwords cleartext Dan Kaminsky (Apr 11)
- BizDB Search Script Enables Shell Command Execution at the Server Black Watch Labs (Apr 12)
- RFP2K02: "Netscape engineers are weenies!" rain forest puppy (Apr 14)