COMMAND
Timbuktu Pro
SYSTEMS AFFECTED
Timbuktu Pro 32 (TB2)
PROBLEM
David Masten found following. Timbuktu Pro 32 (TB2) from Netopia
sends user IDs and passwords in clear text. When TB2 is used to
remote control a machine that is not logged in or is locked, any
user ID and password that is typed in is sent in clear text. A
malicious user on the network can "sniff" the packets and gain
the NT User IDs and passwords of any one using TB2 to remotely
control a NT machine.
Versions Tested:
Timbuktu Pro 32 2.0 build 650
Timbuktu Pro 32 3.0 build 30759
Exploit:
1. Start your favorite sniffer on the same network segment as
either the controlled machine or the controlling machine.
2. Remote control an NT machine that is either locked or not
logged in.
3. Log in to that machine.
4. Stop the sniffer
5. Search the sniffer output file for TCP packets to the
controlled machine on port 1417, having a data length of 7,
and containing the hex sequence 05 00 3E in the first three
bytes of data. The fourth byte is the upper case of the
letter that was typed.
It also, last time William J. Husler checked, uses UDP, so it is
certainly not "fully compatible with any third party LAN based
encryption scheme" - can you say SSH.
SOLUTION
Vendor has been notified and either does not appear willing to
correct, or does not understand the implications. Workaround:
1. Do not use TB2 to control machines that are not logged in
2. (From Netopia) "One possible solution, depending on your
environment, might include establishing a VPN. Since
Timbuktu Pro is a set of services that runs on top of the
protocol layer, it is fully compatible with any third party
LAN based encryption schemes (Virtual Private Networks) or
connection protocols such as PPTP" (I do not see this as a
viable solution for their current target market, which is
firms needing to centralize IT staff while maintaining
de-centralized systems.)