Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Win2k Telnet.exe malicious server vulnerability
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Thu, 14 Sep 2000 08:04:54 -0700


As Eric mentioned in his note below, we will be delivering a patch
and security bulletin shortly that will eliminate this vulnerability.
 Specifically, the patch will enable the user to specify whether
Telnet should participate in NTLM authentication, based on the IE
security zone that the Telnet server resides in.

However, customers who are concerned about this vulnerability already
have the means to globally disable NTLM authentication for all Telnet
sessions.  Here's how:
 - Open a command prompt, type "telnet" and hit enter.
 - At the Telnet prompt, type "unset ntlm" and hit enter.
 - Type "quit" to save your changes and exit Telnet.

To verify that NTLM authentication is disabled, do the following:
 - Open a command prompt, type "telnet" and hit enter.
 - At the Telnet prompt, type "display" and hit enter.
 - Read the response to the "display" command.  If you
   see "Will auth (NTLM authentication", it means that Telnet
   *will* participate in NTLM authentication.  If you see
   "Won't auth (NTLM authentication)", it means that Telnet
   will *not* participate in NTLM authentication.

Please note that this vulnerability only affects the Windows 2000
Telnet client.  No other Microsoft Telnet client participates in NTLM
authentication under any conditions.  Regards,

Scott Culp
Security Program Manager
Microsoft Security Response Center

- -----Original Message-----
From: Microsoft Security Response Center
Sent: Thursday, September 14, 2000 2:34 AM
Cc: Microsoft Security Response Center
Subject: RE: Win2k Telnet.exe malicious server vulnerability


Weld Pond and Dildog of @Stake Inc. reported this vulnerability to
Microsoft August 1st and have been working with Microsoft since that
time to develop a patch and an advisory.  Their commitment to vendor
notification, responsible reporting and the protection of customer's
assets with respect to this and other investigations has been beyond

Microsoft has developed and @Stake has tested a patch for this
vulnerability.  The patch is undergoing final packaging and should be
ready for release as a security bulletin by end of the day Thursday,
September 14.  The security bulletin will be posted to the
Microsoft.com/security web site, will be sent to members of the
Microsoft Security Notification Mailing list, and will be submitted
to various security-related mailing lists.  The patch will be hosted
on the Microsoft download center - the URL will be included as part
of the security bulletin.

With regard to "Monti's" post on this topic:

Monti contacted Microsoft on August 7th with details of this
vulnerability. Monti informed us that he was planning to release the
vulnerability to Bugtraq (with exploit code) and would proceed with
his plan should he fail to hear back from Microsoft within one week's
time.  He also stated that he would postpone his release if Microsoft
provided reasonable explanation for needing additional time to
provide a patch.  Nowhere in his email did he mention a three-week
timeframe as he claims in his advisory.

Microsoft responded to Monti on August 7th, thanked him for his
email, and informed him that we had received this issue from another
party and had already opened an investigation.  We stated we would
keep him in the loop with regards to patch availability, provided him
with a tracking number, and encouraged him to contact us should he
have any questions on the investigation.

Monti replied on August 8th, asking for an ETA on a patch.  We
responded to Monti on August 8th, stating: " I don't have an ETA at
the moment -- we only learned of the issue last week, and we do need
to make sure we've done our due diligence and understand the solution
thoroughly.  It's a slower process than we'd like, but when you
consider the millions of customers' machines that are affected by any
change we make, it's pretty clear that we need to be very careful
about our engineering and testing.  I'll definitely keep you in the
loop as we go forward, though, and please feel free to ping me as
needed for status information.  Sound OK?"

We never heard back from Monti.

Microsoft remains committed to protecting its customers.  We answer
every inquiry sent to Secure () Microsoft com   Each person submitting a
vulnerability report to Microsoft is given a tracking number and is
encouraged to contact us anytime they'd like to discuss the
investigation.  Most individuals are willing to work us within this
framework.  Others, as Monti has demonstrated, are more concerned
about building their own reputation (and unnecessarily putting users
at risk) than they are about checking with us on the status of an

In closing, we applaud the relationship we've had with @Stake on this
and prior Microsoft security investigations.  Their respect for
protecting our mutual customers is something that should be emulated
by all individuals involved in the vulnerability reporting and
disclosure process.


Eric Schultze
Security Program Manager
Microsoft Security Response Center

Version: PGP Personal Privacy 6.5.3


Version: PGP Personal Privacy 6.5.3


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]