COMMAND

    telnetd

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Ron Sweeney found following.   He usually just browse through  the
    messages  on  this  list  to  play  with  peoples neat sploits and
    such...  What we have  here is Win2000Pro, Telnet service  started
    with NTLM turned off...

        $ telnet 192.168.0.1
        Trying 192.168.0.1...
        Connected to 192.168.0.1.
        Escape character is '^]'.
        Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
        Welcome to Microsoft Telnet Service
        Telnet Server Build 5.00.99201.1
        login: guest
        Login through Guest account not allowed
        login: \\guest
        password:

        *===============================================================
        Welcome to Microsoft Telnet Server.
        *===============================================================
        C:\>

    'ghandi' did  some testing  on a  Win2k Pro  machine (same version
    numbers as in the  original post) with NTLM  authentication turned
    off.  It seems that the telnet server ignores any backslashes.  He
    could log  in with  'ghandi', '\ghandi',  '\\ghandi', '\\\ghandi',
    etc.   He  then  disabled  the  account  and  couldn't log in with
    without slashes.  So it doesn't allow access to disabled accounts.

    He then started  playing with the  guest account.   Once he set  a
    password and enabled  the account, he  wasn't able to  log in with
    'guest' ("Login through  Guest account not  allowed"), but he  WAS
    able to  log in  with '\guest',  '\\guest', '\\\\guest',  etc.  It
    seems that the  telnet server disallows  any logins with  username
    "guest", but because '\' characters are skipped or ignored in  the
    username,  with  the  correct  password,  the guest account can be
    used through telnet.

SOLUTION

    Create  a  group  called  TelnetClients  with  no members and this
    will stop access using any variation of guest.