COMMAND

    Timbuktu

SYSTEMS AFFECTED

    Timbuktu32 (Win)

PROBLEM

    Blue Boar  found following.   Here's a  few bits  of weirdness  he
    noticed with Timbuktu.   For those who  don't know, Timbuktu  is a
    remote control application like PCAnywhere, CarbonCopy, etc..   It
    start out on the Mac platform, and is actually cross-platform  Mac
    &  Windows,  which  IMHO  is  it's  main  standout feature.  Later
    versions also include file  transfer, chat, & observation  mode in
    addition to control mode, plus probably a few other features.

    It takes control of the main desktop, so is generally apparent  if
    you're sitting in front of the  machine.  It keeps logs of  people
    who have connected, locally on  the server machine.  It  should be
    pretty trivial to erase the logs if desired.

    BB first  started to  examine TB2  at work,  where it's  part of a
    standard template that  goes on almost  all PCs.   Someone sent an
    internal email noting that the  passwords would show up.   I.e. if
    someone had connected to your  machine, and you pulled up  the app
    after, there  was their  password showing  in the  clear.  Whoops.
    This  is  a  problem  because  it's  intended  for IT personnel to
    control user's  machines, and  users aren't  supposed to  have the
    passwords (build 635!?).

    This also means that either  the passwords stored locally, or  the
    passwords  across   the  wire   are  decryptable/decodable.     BB
    sniffed the connections, and the  passwords are not in the  clear.
    Passwords are  stored locally  in tb2.plu.   Boar done  some brief
    looking at the file.  There is a small password history, passwords
    are at least  encoded.  Account  names are in  the clear.   In his
    environment, all users have the  same passwords.  So, if  any user
    cracks a  password, they  have access  to all  machines.  There is
    also a  master password  of sorts  that the  users can't erase via
    the GUI.  This was done as part of a corporate install setup.

    While sniffing  connections, BB  noticed that  TB2 gives  a lot of
    useful information.  It gives company name and machine name and  a
    few other things.

    The  authentication  setup  is  UDP,  and  looks fully replayable,
    though  not  sure  if  you  can  sync the control connections that
    way.

    Robert G. Ferrell added  following.  Whenever he  starts Timbuktu,
    in the  TCP/IP tab  the first  TCP/IP Address  entry is always his
    Windows Client  logon password,  in plain  text.   He tracked this
    to  HKEY_LOCAL_MACHINE\Software\Netopia\Timbuktu  Pro\NetPlaces in
    the registry  and removed  it, but  it comes  right back  the next
    time he reboots, even if he don't logon to the machine as himself.

SOLUTION

    Latest build addressed this issues.