Skip to content

Commit d817cc6

Browse files
hackerhouse-opensourcehackerhouse-opensource
committed
Microsoft Telnet Server NTLM Mutual Authentication Configuration Issue
1 parent 16c4f6c commit d817cc6

File tree

1 file changed

+12
-12
lines changed

1 file changed

+12
-12
lines changed

MsTelnetServer_NTLM_MutualAuth_ConfigIssue.txt

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -9,18 +9,18 @@ Status: Unpatched, non-exploitable.
99

1010
Summary
1111
=======
12-
The Microsoft Telnet Server’s NTLM authentication over MS-TNAP uses
13-
SECPKG_CRED_BOTH in AcquireCredentialsHandle and ASC_REQ_MUTUAL_AUTH/ASC_REQ_DELEGATE in
14-
AcceptSecurityContext. These settings suggest a potential vulnerability where an attacker
15-
could invert authentication, forcing the server to authenticate to the client. Testing
16-
with a modified telnet client (telnet_token.exe, based on updated netio.c and security.c)
17-
alongside auditing of the server behaviors has confirmed the issue is not exploitable. The
18-
server never initiates authentication with an NTLM Type 1 message, rendering these flags
19-
ineffective for exploitation uses by the client. Administrators should disable
20-
Telnet due to its plaintext transmission, but no specific action is required for
21-
this issue. The server implementation should, however, explicitly specify
22-
SECPKG_CRED_INBOUND and not support ASC_REQ_MUTUAL and ASC_REQ_DELEGATE if mutual
23-
authentication is not required.
12+
The Microsoft Telnet Server’s NTLM authentication over MS-TNAP specifies
13+
AUTH_SERVER_TO_CLIENT and AUTH_HOW_MUTUAL flags in the protocol but does not
14+
implement them in server logic. It also uses SECPKG_CRED_BOTH in AcquireCredentialsHandle
15+
and ASC_REQ_MUTUAL_AUTH/ASC_REQ_DELEGATE in AcceptSecurityContext, suggesting a
16+
potential vulnerability where an attacker could invert authentication, forcing the
17+
server to authenticate to the client. Testing with a modified PoC tool (telnet_token.exe,
18+
based on updated netio.c and security.c) and auditing server behavior confirmed the issue
19+
is not exploitable. The server never initiates authentication with an NTLM Type 1 message,
20+
rendering these flags ineffective for client exploitation. Administrators should disable
21+
Telnet due to its plaintext transmission, but no specific action is required for this issue.
22+
The server should explicitly use SECPKG_CRED_INBOUND and avoid supporting ASC_REQ_MUTUAL
23+
and ASC_REQ_DELEGATE if mutual authentication is not needed.
2424

2525
Technical Details
2626
=================

0 commit comments

Comments
 (0)