Windows Telnet credential reflection

Added: 08/12/2009
CVE: CVE-2009-1930
BID: 35993
OSVDB: 56904

Background

Microsoft Windows operating systems come with a telnet service. This service prompts a user to provide a login name and password. Following successful authentication, the server displays a shell prompt, allowing the user to run commands on the server.

Problem

There is a credential reflection vulnerability in the Windows telnet service. When a user connects to a telnet server, the authentication information sent by the user’s system can be used by the telnet server to log into the user’s system.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 09-042.

References

<http://www.microsoft.com/technet/security/bulletin/ms09-042.mspx&gt;

Limitations

Exploit works on Windows XP SP3 and requires a user to load the exploit page in a web browser. After loading the page, the target user will get a security prompt warning that the user’s name and password will be sent for authentication. The target user must choose “yes” for this security prompt.

The logged-on user on the target must have the administrator privilege.

The “simple file sharing” on the target must be disabled.

The user’s browser must have the telnet scheme enabled. This is not the case by default in Internet Explorer 7 and 8. To enable the telnet scheme, create the following registry value:

> Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL
Value: iexplore.exe
Type: REG_DWORD
Data: 0

(If the telnet scheme is disabled, the exploit can also be triggered by running the telnet command from the command prompt.)

The Crypt::DES, Digest::MD4, and Digest::MD5 packages are required for this exploit to run. These packages are available from <http://cpan.org/modules/by-module/&gt;.

Platforms

Windows XP