Timbuktu Pro 32 (TB2)from Netopia sends user IDs and passwords in clear text. When TB2 is used to remote control a machine that is not logged in or is locked, any user ID and password that is typed in is sent in clear text. A malicious user on the network can "sniff" the packets and gain the NT User IDs and passwords of any one using TB2 to remotely control a NT machine. Versions Tested: Timbuktu Pro 32 2.0 build 650 Timbuktu Pro 32 3.0 build 30759 Vendor Status: Vendor has been notified and either does not appear willing to correct, or does not understand the implications. Exploit: 1. Start your favorite sniffer on the same network segment as either the controlled machine or the controlling machine. 2. Remote control an NT machine that is either locked or not logged in. 3. Log in to that machine. 4. Stop the sniffer 5. Search the sniffer output file for TCP packets to the controlled machine on port 1417, having a data length of 7, and containing the hex sequence 05 00 3E in the first three bytes of data. The fourth byte is the upper case of the letter that was typed. Workaround: 1. Do not use TB2 to control machines that are not logged in. 2. (From Netopia) "One possible solution, depending on your environment, might include establishing a VPN. Since Timbuktu Pro is a set of services that runs on top of the protocol layer, it is fully compatible with any third party LAN based encryption schemes (Virtual Private Networks) or connection protocols such as PPTP" (I do not see this as a viable solution for their current target market, which is firms needing to centralize IT staff while maintaining de-centralized systems.) David Masten DM InfoSec dmastenat_private 440-725-1401
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:28 PDT