|
|
| |
| Windows 2000 Professional contains a built-in telnet server. This server suffers from a vulnerability that allows malicious attackers to cause a Denial of Service attack against the machine (preventing legitimate connections). |
| |
Credit:
The information has been provided by Alexander Ivanchev.
|
| |
Vulnerable systems:
Windows 2000 Professional with Service Pack 1
This Denial of Service can be demonstrated by telneting to a machine running the specified version of the Telnet Service and waiting at the login/password prompt until a session timeout takes place. Note that even after it does time out the connection, the connection is not reset by the daemon until the user presses a key.
Since Windows 2000 Professional allows only one telnet connection per host, this will effectively disable access for the authorized user.
Another problem that seems to be related that shows that the timed out connection is not fully recognized by the service can be demonstrated by telneting to the server after it has timed out a connection but not disconnected it.
The response from the server will be of the sorts of:
~r?q?LL>HOSTNAME? HOSTNAME? HOSTNAME?hostname? hostname
Microsoft Windows Workstation allows only 1 Telnet Client License
Server has closed connection
Connection to host lost.
What makes this even more problematic is that the connection will not be shown on the telnet service connection list (since no username/password have been entered).
|
|
|
|
|
