Windows Telnet credential reflection
Added: 08/12/2009CVE: CVE-2009-1930
BID: 35993
OSVDB: 56904
Background
Microsoft Windows operating systems come with a telnet service. This service prompts a user to provide a login name and password. Following successful authentication, the server displays a shell prompt, allowing the user to run commands on the server.Problem
There is a credential reflection vulnerability in the Windows telnet service. When a user connects to a telnet server, the authentication information sent by the user's system can be used by the telnet server to log into the user's system.Resolution
Apply the patch referenced in Microsoft Security Bulletin 09-042.References
http://www.microsoft.com/technet/security/bulletin/ms09-042.mspxLimitations
Exploit works on Windows XP SP3 and requires a user to load the exploit page in a web browser. After loading the page, the target user will get a security prompt warning that the user's name and password will be sent for authentication. The target user must choose "yes" for this security prompt.The logged-on user on the target must have the administrator privilege.
The "simple file sharing" on the target must be disabled.
The user's browser must have the telnet scheme enabled. This is not the case by default in Internet Explorer 7 and 8. To enable the telnet scheme, create the following registry value:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL(If the telnet scheme is disabled, the exploit can also be triggered by running the telnet command from the command prompt.)
Value: iexplore.exe
Type: REG_DWORD
Data: 0
The Crypt::DES, Digest::MD4, and Digest::MD5 packages are required for this exploit to run. These packages are available from http://cpan.org/modules/by-module/.
Platforms
Windows XPBack to exploit index