Microsoft Telnet Server NTLM Mutual Authentication Configuration Issue

hackerhouse-opensource · hackerhouse-opensource · commit 16c4f6c65574 · 2025-04-30T13:06:13.000-05:00
diff --git a/MsTelnetServer_NTLM_MutualAuth_ConfigIssue.txt b/MsTelnetServer_NTLM_MutualAuth_ConfigIssue.txt
@@ -5,59 +5,187 @@ Affected Software: Microsoft Telnet Server (Windows 2000 to Windows Server 2008
 Severity: Low (Non-Exploitable)
 CVE ID: None Assigned
 Vendor: Microsoft Corporation
-Status: Unpatched, non-exploitable. 
+Status: Unpatched, non-exploitable.
 
 Summary
 =======
-The Microsoft Telnet Server’s NTLM authentication over MS-TNAP uses SECPKG_CRED_BOTH in AcquireCredentialsHandle and ASC_REQ_MUTUAL_AUTH/ASC_REQ_DELEGATE in AcceptSecurityContext. These settings suggest a potential vulnerability where an attacker could invert authentication, forcing the server to authenticate to the client. Testing with a modified PoC tool (telnet_token.exe, based on updated netio.c and security.c) alongside auditing of the server behaviors has confirmed the issue is not exploitable. The server never initiates authentication with an NTLM Type 1 message, rendering these flags ineffective for exploitation uses by the client. Administrators should disable Telnet due to its plaintext transmission, but no specific action is required for this issue. The server implementation should, however, explicitly specify SECPKG_CRED_INBOUND and not support ASC_REQ_MUTUAL and ASC_REQ_DELEGATE if mutual authentication is not required. 
+The Microsoft Telnet Server’s NTLM authentication over MS-TNAP uses
+SECPKG_CRED_BOTH in AcquireCredentialsHandle and ASC_REQ_MUTUAL_AUTH/ASC_REQ_DELEGATE in 
+AcceptSecurityContext. These settings suggest a potential vulnerability where an attacker 
+could invert authentication, forcing the server to authenticate to the client. Testing 
+with a modified telnet client (telnet_token.exe, based on updated netio.c and security.c) 
+alongside auditing of the server behaviors has confirmed the issue is not exploitable. The 
+server never initiates authentication with an NTLM Type 1 message, rendering these flags
+ineffective for exploitation uses by the client. Administrators should disable
+Telnet due to its plaintext transmission, but no specific action is required for
+this issue. The server implementation should, however, explicitly specify
+SECPKG_CRED_INBOUND and not support ASC_REQ_MUTUAL and ASC_REQ_DELEGATE if mutual
+authentication is not required.
 
 Technical Details
 =================
 The server’s SSPI implementation includes:
 
-- SECPKG_CRED_BOTH in AcquireCredentialsHandle: Allows the server to act as both authenticator and authenticatee, unexpected for a server role.
-- ASC_REQ_MUTUAL_AUTH and ASC_REQ_DELEGATE in AcceptSecurityContext: Supports mutual authentication and credential delegation, potentially enabling an authentication bypass.
+- SECPKG_CRED_BOTH in AcquireCredentialsHandle: Allows the server to act as both
+  authenticator and authenticatee, unexpected for a server role.
+- ASC_REQ_MUTUAL_AUTH and ASC_REQ_DELEGATE in AcceptSecurityContext: Supports
+  mutual authentication and credential delegation, potentially enabling an
+  authentication bypass.
 
-A practical attack would require the server to send a Type 1 (NEGOTIATE) message, allowing the client to process server credentials via AcceptSecurityContext. We updated security.c in a telnet client and attempted this by using SECPKG_CRED_INBOUND and AcceptSecurityContext to handle a server Type 1 message whilst sending the MS-TNAP direction flags AUTH_SERVER_TO_CLIENT | AUTH_HOW_MUTUAL. The server ignores these flags and it appears Telnet mutual authentication was a feature that Microsoft abandoned during development.
+A practical attack would require the server to send a Type 1 (NEGOTIATE) message,
+allowing the client to process server credentials via AcceptSecurityContext. We
+updated security.c in a telnet client and attempted this by using
+SECPKG_CRED_INBOUND and AcceptSecurityContext to handle a server Type 1 message
+whilst sending the MS-TNAP direction flags AUTH_SERVER_TO_CLIENT |
+AUTH_HOW_MUTUAL. The server ignores these flags and it appears Telnet mutual
+authentication was a feature that Microsoft abandoned during development.
 
 PoC Testing
 ===========
-The PoC tool (telnet_token.exe), built using a modified netio.c and security.c to exploit the logic flaws and establish mutual authentication was developed and tested against a Windows Server 2008 R2 Telnet Server. Key findings:
+The PoC tool (telnet_token.exe), built using a modified netio.c and security.c to
+exploit the logic flaws and establish mutual authentication was developed and
+tested against a Windows Server 2008 R2 Telnet Server. Key findings:
 
-- Standard Flow: The client sent a Type 1 message with AUTH_SERVER_TO_CLIENT | AUTH_HOW_MUTUAL. The server responded with a Type 2 (CHALLENGE) message, using AUTH_HOW_ONE_WAY | AUTH_CLIENT_TO_SERVER, ignoring the mutual authentication request. No server authentication data was included.
-- Reversed Authentication: Using SECPKG_CRED_INBOUND and AcceptSecurityContext caused a crash with SEC_E_INVALID_TOKEN (0x80090308) when processing the server’s Type 2 message, as it was not a valid input token for AcceptSecurityContext. The server never sent a Type 1 message.
-- Type 2 Analysis: The Type 2 message contained standard NTLM fields (challenge, target name, flags: 0xe28a8215) with no server authentication token, adhering to RFC 4559. Our PoC tool will output any server token that maybe sent by a Type 2 message in the event the servers Type 1 requests for mutual authentication are used. However NTLMSSP only includes authentication material and cryptographic data in a type 3 message making this issue non-exploitable.
+- Standard Flow: The client sent a Type 1 message with
+  AUTH_SERVER_TO_CLIENT | AUTH_HOW_MUTUAL. The server responded with a Type 2
+  (CHALLENGE) message, using AUTH_HOW_ONE_WAY | AUTH_CLIENT_TO_SERVER, ignoring
+  the mutual authentication request. No server authentication data was included.
+- Reversed Authentication: Using SECPKG_CRED_INBOUND and AcceptSecurityContext
+  caused a crash with SEC_E_INVALID_TOKEN (0x80090308) when processing the
+  server’s Type 2 message, as it was not a valid input token for
+  AcceptSecurityContext. The server never sent a Type 1 message.
+- Type 2 Analysis: The Type 2 message contained standard NTLM fields (challenge,
+  target name, flags: 0xe28a8215) with no server authentication token, adhering to
+  RFC 4559. Our PoC tool will output any server token that maybe sent by a Type 2
+  message in the event the servers Type 1 requests for mutual authentication are
+  used. However NTLMSSP only includes authentication material and cryptographic
+  data in a type 3 message making this issue non-exploitable.
 
 Why It’s Not Exploitable
 ========================
-- Fixed Server Role: The server exclusively only acts as an NTLM authenticator, sending Type 2 messages and never initiating with Type 1. SECPKG_CRED_BOTH is unused even when sending the appropriate flags in the client.
-- Protocol Limitation: MS-TNAP ignores AUTH_SERVER_TO_CLIENT and AUTH_HOW_MUTUAL, enforcing client-driven authentication (RFC 2941).
-- No Server Credentials: Type 2 messages lack authentication data, and mutual authentication occurs only in the client’s Type 3 response, which the server verifies.
+- Fixed Server Role: The server exclusively only acts as an NTLM authenticator,
+  sending Type 2 messages and never initiating with Type 1. SECPKG_CRED_BOTH is
+  unused even when sending the appropriate flags in the client.
+- Protocol Limitation: MS-TNAP ignores AUTH_SERVER_TO_CLIENT and AUTH_HOW_MUTUAL,
+  enforcing client-driven authentication (RFC 2941).
+- No Server Credentials: Type 2 messages lack authentication data, and mutual
+  authentication occurs only in the client’s Type 3 response, which the server
+  verifies.
 
 Impact
 ======
-None. The configuration does not expose credentials, tokens, allow bypass, or weaken NTLM authentication. A separate vulnerability that allows for Guest access restriction bypass through MS-TNAP is described elsewhere in this repo.
+None. The configuration does not expose credentials, tokens, allow bypass, or
+weaken NTLM authentication. A separate vulnerability that allows for Guest access
+restriction bypass through MS-TNAP is described elsewhere in this repo.
 
 Mitigation
 ==========
 - No Patch Needed: The issue is not exploitable.
 - Disable Telnet: Use SSH to avoid Telnet’s plaintext transmission.
-- Monitor Updates: Re-evaluate if future server changes enable Type 1 message initiation.
+- Monitor Updates: Re-evaluate if future server changes enable Type 1 message
+  initiation.
 
-PoC Tool
-========
-A telnet_token.exe is encoded in this file (built from updated netio.c and security.c):
+Testing
+=======
+A telnet_token.exe is encoded in this file (built from patched netio.c and
+security.c) which can be used to inspect telnet traffic and verify the server
+behavior:
 
-- Functionality: Parses NTLM messages, attempts reversed authentication with SECPKG_CRED_INBOUND, and dumps message details.
+- Functionality: Parses NTLM messages, attempts reversed authentication with
+  SECPKG_CRED_INBOUND, and dumps message details.
 - Usage: telnet_token.exe <ip> <port>
-- Output: Displays hex dumps, flags (e.g., NEGOTIATE_EXTENDED_SESSIONSECURITY), and fields (e.g., target name). Exits with SEC_E_INVALID_TOKEN on reversed authentication attempts.
+- Output: Displays hex dumps, flags (e.g., NEGOTIATE_EXTENDED_SESSIONSECURITY), and
+  fields (e.g., target name). Exits with SEC_E_INVALID_TOKEN on reversed
+  authentication attempts.
+
+The tool is designed to print any authentication token it receives from the server
+in a type 2 response when forcing mutual authentication, however these are only
+expected to be sent in type 3 messages, should you find a token with this tool - it
+is likely due to a modified NTLMSSP implementation.
+
+e.g.
+
+Received AUTH SEND NTLM request from server
+DEBUG: StartNTLMAuth called
+DEBUG: Using domain: XPSRCBUILD
+DEBUG: Using username: Administrator
+Sent NTLM Type 1 Message (Raw Hex Dump):
+Total Size: 40 bytes
+4e 54 4c 4d 53 53 50 00 01 00 00 00 97 82 08 e2
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+05 01 28 0a 00 00 00 0f
+
+Parsed NTLM Type 1 Message:
+NTLM Flags: 0xe2088297
+  - NEGOTIATE_UNICODE
+  - NEGOTIATE_OEM
+  - NEGOTIATE_NTLM
+  - NEGOTIATE_ALWAYS_SIGN
+  - NEGOTIATE_EXTENDED_SESSIONSECURITY
+  - NEGOTIATE_VERSION
+  - NEGOTIATE_128
+  - NEGOTIATE_KEY_EXCH
+  - NEGOTIATE_56
+Domain Name: (empty)
+Workstation Name: (empty)
+Version: 5.1 (Build 2600)
+DEBUG: Sending Type 1 message, size=57
+NTLM Type 1 (NEGOTIATE) message sent successfully
+
+Received AUTH REPLY NTLM from server, code: 1
+Processing NTLM_CHALLENGE (Type 2) message
+DEBUG: DoNTLMAuth called, dwSize=188
+Received NTLM Type 2 Message (Raw Hex Dump):
+Total Size: 178 bytes
+4e 54 4c 4d 53 53 50 00 02 00 00 00 12 00 12 00
+38 00 00 00 15 82 8a e2 02 c4 3c bf d1 9e 77 58
+00 00 00 00 00 00 00 00 68 00 68 00 4a 00 00 00
+06 01 b0 1d 00 00 00 0f 57 00 49 00 4e 00 32 00
+30 00 30 00 38 00 52 00 32 00 02 00 12 00 57 00
+49 00 4e 00 32 00 30 00 30 00 38 00 52 00 32 00
+01 00 12 00 57 00 49 00 4e 00 32 00 30 00 30 00
+38 00 52 00 32 00 04 00 12 00 57 00 49 00 4e 00
+32 00 30 00 30 00 38 00 52 00 32 00 03 00 12 00
+57 00 49 00 4e 00 32 00 30 00 30 00 38 00 52 00
+32 00 07 00 08 00 7c bf 19 d9 f9 b9 db 01 00 00
+00 00
 
-e.g. 
+Parsed NTLM Type 2 Message:
+Challenge: 02 c4 3c bf d1 9e 77 58
+NTLM Flags: 0xe28a8215
+  - NEGOTIATE_UNICODE
+  - NEGOTIATE_NTLM
+  - NEGOTIATE_ALWAYS_SIGN
+  - NEGOTIATE_EXTENDED_SESSIONSECURITY
+  - NEGOTIATE_TARGET_INFO
+  - NEGOTIATE_VERSION
+  - NEGOTIATE_128
+  - NEGOTIATE_KEY_EXCH
+  - NEGOTIATE_56
+Target Name: WIN2008R2
+Target Info (hex): 02 00 12 00 57 00 49 00 4e 00 32 00 30 00 30 00 38 00 52 00 3
+2 00 01 00 12 00 57 00 49 00 4e 00 32 00 30 00 30 00 38 00 52 00 32 00 04 00 12
+00 57 00 49 00 4e 00 32 00 30 00 30 00 38 00 52 00 ...
+Server Authentication Token: (none)
+DEBUG: Exiting after Type 2 message
 
 
 Conclusion
 ==========
-The NTLM configuration issue in the Microsoft Telnet Server stems from the intended support for mutual authentication within the MS-TNAP protocol and the server’s SSPI configuration, specifically the use of SECPKG_CRED_BOTH and ASC_REQ_MUTUAL_AUTH flags. These settings suggest the server could act as an authenticatee, initiating authentication with a Type 1 message, which could allow an attacker to invert the authentication flow. However, this vulnerability is not exploitable due to explicit server-side logic that ignores the AUTH_SERVER_TO_CLIENT and AUTH_HOW_MUTUAL flags in MS-TNAP, enforcing a client-driven authentication model. The server’s implementation lacks the necessary code to handle these flags or send a Type 1 message, effectively abandoning mutual authentication functionality during development. As a result, the server remains strictly an NTLM authenticator, rendering the configuration a non-exploitable oddity. Administrators should disable Telnet for general security due to its inherent weaknesses, but no specific action is required for this issue.
+The NTLM configuration issue in the Microsoft Telnet Server stems from the intended
+support for mutual authentication within the MS-TNAP protocol and the server’s SSPI
+configuration, specifically the use of SECPKG_CRED_BOTH and ASC_REQ_MUTUAL_AUTH
+flags. These settings suggest the server could act as an authenticatee, initiating
+authentication with a Type 1 message, which could allow an attacker to invert the
+authentication flow. However, this vulnerability is not exploitable due to explicit
+server-side logic that ignores the AUTH_SERVER_TO_CLIENT and AUTH_HOW_MUTUAL flags
+in MS-TNAP, enforcing a client-driven authentication model. The server’s
+implementation lacks the necessary code to handle these flags or send a Type 1
+message, effectively abandoning mutual authentication functionality during
+development. As a result, the server remains strictly an NTLM authenticator,
+rendering the configuration a non-exploitable oddity. Administrators should disable
+Telnet for general security due to its inherent weaknesses, but no specific action
+is required for this issue.
 
 Disclosure Timeline
 ===================
@@ -70,8 +198,8 @@ Credits
 =======
 Discovered by Hacker Fantastic (https://hacker.house)
 
-Proof-of-Concept
-================
+Test Utility
+============
 begin 777 telnet_token.exe
 M35J0``,````$````__\``+@`````````0```````````````````````````
 M````````````````````X`````X?N@X`M`G-(;@!3,TA5&AI<R!P<F]G<F%M
