[16807] in bugtraq
Re: Win2k Telnet.exe malicious server vulnerability
daemon@ATHENA.MIT.EDU (J Edgar Hoover)
Mon Sep 18 12:30:54 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.21.0009180529510.1430-100000@totally.righteous.net>
Date: Mon, 18 Sep 2000 05:46:04 -0700
Reply-To: J Edgar Hoover <zorch@RIGHTEOUS.NET>
From: J Edgar Hoover <zorch@RIGHTEOUS.NET>
X-To: Bronek Kozicki <brok@RUBIKON.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <005301c01f40$4341d610$9e03a8c0@bronek>
On Fri, 15 Sep 2000, Bronek Kozicki wrote:
> From: "Ryagin Mihail Yurevitch" <ryagin@EXTRIM.RU>
>
> > The problem is far more general then within single poor configuration
> defaults in telnet.exe.
> > The main problem is that Windows automatically supply user credentials in
> many situations without ever asking for his opinion.
>
> That's why, exactly, you do not pass NetBIOS through your firewall -
> incoming as well as _outgoing_ traffic.
Ahh, but it doesn't stop there...
w2k with ie also likes to exchange kerberos keys with foreign web
servers.
I noticed this whlle trying to disable the "autosearch" spyware
in ie. If you type a URL that fails lookup, ie does a search at
auto.search.msn.com.. Yes, ie has a button to 'disable' this, but when I
tried that, it was still sending data to msn. The only fix I've found was
to wall off *.search.msn.com.
While you are at it, wall off LDAP too... or just play it safe and not let
any traffic on ports <1024 in or out of the windows network.
