Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft Windows 2000 Telnet server vulnerability

Microsoft Windows 2000 Telnet server vulnerability

by phiber on June 9th, 2001 There is a buffer size checking related fault condition in Microsoft Windows 2000 telnet server. This vulnerability is present only if telnet service is running and plain-text logins are allowed (this does not apply to NTLM-based authentication).


Microsoft Telnet Server does range checking when reading a username,
dropping the connection if an excessively long line was sent to it. This mechanism fails if there is approximately 4300 or more characters in the input buffer already, and ASCII code 127 (0x7b, backspace) arrives. This leads to service crash (DoS condition).



When this condition occurs, 0x41414141 can be found in stack dumps.
Microsoft advised us this condition is not exploitable.



Vulnerability check:



- The following Linux bash script would test telnet server for the
vulnerability:



- test.sh -

#!/bin/bash

( sleep 1

perl -e '{printf "%sx7f%s","A"x4500,"A"x100}'

sleep 3

) | telnet victimbox



Vendor response:



This vulnerability is addressed by the MS01-031 security bulletin and
Microsoft has issued a patch to correct the issue.



Microsoft's security bulletin:



http://www.microsoft.com/technet/security/bulletin/ms01-031.asp



Microsoft's Patch:



Windows 2000:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30508



Posted by Michal Zalewski ([email protected]) on bugtraq mailing list.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »