Re: TB2 Pro sending NT passwords cleartext

[bhusler () PACBELL NET (William J Husler)]

It also, last I check, used UDP, so it is certainly not "fully compatible with
any third party LAN based encryption scheme" - can you say SSH.
Bill

David Masten wrote:

> Timbuktu Pro 32 (TB2)from Netopia sends user IDs and passwords in clear
> text.
>
> When TB2 is used to remote control a machine that is not logged in or is
> locked, any user ID and password that is typed in is sent in clear text. A
> malicious user on the network can "sniff" the packets and gain the NT User
> IDs and passwords of any one using TB2 to remotely control a NT machine.
>
> Versions Tested:
> Timbuktu Pro 32 2.0 build 650
> Timbuktu Pro 32 3.0 build 30759
>
> Vendor Status: Vendor has been notified and either does not appear willing
> to correct, or does not understand the implications.
>
> Exploit:
> 1. Start your favorite sniffer on the same network segment as either the
> controlled machine or the controlling machine.
> 2. Remote control an NT machine that is either locked or not logged in.
> 3. Log in to that machine.
> 4. Stop the sniffer
> 5. Search the sniffer output file for TCP packets to the controlled machine
> on port 1417, having a data length of 7, and containing the hex sequence 05
> 00 3E in the first three bytes of data. The fourth byte is the upper case of
> the letter that was typed.
>
> Workaround:
> 1. Do not use TB2 to control machines that are not logged in.
> 2. (From Netopia) "One possible solution, depending on your environment,
> might include establishing a VPN. Since Timbuktu Pro is a set of services
> that runs on top of the protocol layer, it is fully compatible with any
> third party LAN based encryption schemes (Virtual Private Networks) or
> connection protocols such as PPTP" (I do not see this as a viable solution
> for their current target market, which is firms needing to centralize IT
> staff while maintaining de-centralized systems.)
>
> David Masten
> DM InfoSec
> dmasten () dminfosec com
> 440-725-1401