Telnet Client NTLM Authentication Vulnerability

A security vulnerability exists in the telnet client that ships with Microsoft® Windows 2000 which could allow a malicious user to obtain cryptographically protected logon credentials from another user.

Issue

Windows 2000 includes a telnet client capable of using NTLM authentication when connecting to a remote NTLM enabled telnet server. A vulnerability exists because the client will, by default, perform NTLM authentication when connecting to the remote telnet server. This could allow a malicious user to obtain another user's NTLM authentication credentials without the user's knowledge.

A malicious user could exploit this behavior by creating a carefully-crafted HTML document that, when opened, could attempt to initiate a Telnet session to a rogue telnet server - automatically passing NTLM authentication credentials to the malicious server's owner. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.

This vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer. In order to leverage the NTLM credentials (or subsequently cracked password), the malicious user would have to be able to remotely logon to the target system.

Affected Products

• Microsoft Windows 2000

Download

Patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24399

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: September 21, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<