It also, last I check, used UDP, so it is certainly not "fully compatible with any third party LAN based encryption scheme" - can you say SSH. Bill David Masten wrote: > Timbuktu Pro 32 (TB2)from Netopia sends user IDs and passwords in clear > text. > > When TB2 is used to remote control a machine that is not logged in or is > locked, any user ID and password that is typed in is sent in clear text. A > malicious user on the network can "sniff" the packets and gain the NT User > IDs and passwords of any one using TB2 to remotely control a NT machine. > > Versions Tested: > Timbuktu Pro 32 2.0 build 650 > Timbuktu Pro 32 3.0 build 30759 > > Vendor Status: Vendor has been notified and either does not appear willing > to correct, or does not understand the implications. > > Exploit: > 1. Start your favorite sniffer on the same network segment as either the > controlled machine or the controlling machine. > 2. Remote control an NT machine that is either locked or not logged in. > 3. Log in to that machine. > 4. Stop the sniffer > 5. Search the sniffer output file for TCP packets to the controlled machine > on port 1417, having a data length of 7, and containing the hex sequence 05 > 00 3E in the first three bytes of data. The fourth byte is the upper case of > the letter that was typed. > > Workaround: > 1. Do not use TB2 to control machines that are not logged in. > 2. (From Netopia) "One possible solution, depending on your environment, > might include establishing a VPN. Since Timbuktu Pro is a set of services > that runs on top of the protocol layer, it is fully compatible with any > third party LAN based encryption schemes (Virtual Private Networks) or > connection protocols such as PPTP" (I do not see this as a viable solution > for their current target market, which is firms needing to centralize IT > staff while maintaining de-centralized systems.) > > David Masten > DM InfoSec > dmastenat_private > 440-725-1401
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:55 PDT