[13415] in bugtraq
Re: TB2 Pro sending NT passwords cleartext
daemon@ATHENA.MIT.EDU (William J Husler)
Tue Jan 18 17:11:38 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854";
x-mac-creator="4D4F5353"
Content-Transfer-Encoding: 7bit
Message-Id: <3883BB92.4A372576@pacbell.net>
Date: Mon, 17 Jan 2000 17:02:16 -0800
Reply-To: BHusler@PacBell.net
From: William J Husler <bhusler@PACBELL.NET>
X-To: David Masten <dmasten@dminfosec.com>
To: BUGTRAQ@SECURITYFOCUS.COM
It also, last I check, used UDP, so it is certainly not "fully compatible with
any third party LAN based encryption scheme" - can you say SSH.
Bill
David Masten wrote:
> Timbuktu Pro 32 (TB2)from Netopia sends user IDs and passwords in clear
> text.
>
> When TB2 is used to remote control a machine that is not logged in or is
> locked, any user ID and password that is typed in is sent in clear text. A
> malicious user on the network can "sniff" the packets and gain the NT User
> IDs and passwords of any one using TB2 to remotely control a NT machine.
>
> Versions Tested:
> Timbuktu Pro 32 2.0 build 650
> Timbuktu Pro 32 3.0 build 30759
>
> Vendor Status: Vendor has been notified and either does not appear willing
> to correct, or does not understand the implications.
>
> Exploit:
> 1. Start your favorite sniffer on the same network segment as either the
> controlled machine or the controlling machine.
> 2. Remote control an NT machine that is either locked or not logged in.
> 3. Log in to that machine.
> 4. Stop the sniffer
> 5. Search the sniffer output file for TCP packets to the controlled machine
> on port 1417, having a data length of 7, and containing the hex sequence 05
> 00 3E in the first three bytes of data. The fourth byte is the upper case of
> the letter that was typed.
>
> Workaround:
> 1. Do not use TB2 to control machines that are not logged in.
> 2. (From Netopia) "One possible solution, depending on your environment,
> might include establishing a VPN. Since Timbuktu Pro is a set of services
> that runs on top of the protocol layer, it is fully compatible with any
> third party LAN based encryption schemes (Virtual Private Networks) or
> connection protocols such as PPTP" (I do not see this as a viable solution
> for their current target market, which is firms needing to centralize IT
> staff while maintaining de-centralized systems.)
>
> David Masten
> DM InfoSec
> dmasten@dminfosec.com
> 440-725-1401
