Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: tb2.htm

Timbuktu Pro 32 (TB2) Cleartext Passwords



Vulnerability

    Timbuktu Pro

Affected

    Timbuktu Pro 32 (TB2)

Description

    David Masten found following.  Timbuktu Pro 32 (TB2) from  Netopia
    sends user IDs and passwords in  clear text.  When TB2 is  used to
    remote control a machine that is  not logged in or is locked,  any
    user ID and password  that is typed in  is sent in clear  text.  A
    malicious user  on the  network can  "sniff" the  packets and gain
    the NT User  IDs and passwords  of any one  using TB2 to  remotely
    control a NT machine.

    Versions Tested:

        Timbuktu Pro 32 2.0 build 650
        Timbuktu Pro 32 3.0 build 30759

    Exploit:

        1. Start your favorite sniffer on the same network segment  as
           either the controlled machine or the controlling machine.
        2. Remote control an NT  machine that is either locked  or not
           logged in.
        3. Log in to that machine.
        4. Stop the sniffer
        5.  Search  the  sniffer  output  file  for TCP packets to the
           controlled machine on port 1417, having a data length of 7,
           and containing the hex sequence 05 00 3E in the first three
           bytes of data.   The fourth byte is  the upper case of  the
           letter that was typed.

    It also, last time William J.  Husler checked, uses UDP, so it  is
    certainly not  "fully compatible  with any  third party  LAN based
    encryption scheme" - can you say SSH.

Solution

    Vendor has  been notified  and either  does not  appear willing to
    correct, or does not understand the implications.  Workaround:

        1. Do not use TB2 to control machines that are not logged in
        2. (From  Netopia) "One  possible solution,  depending on your
           environment,  might  include  establishing  a  VPN.   Since
           Timbuktu Pro is a set of  services that runs on top of  the
           protocol layer, it is fully compatible with any third party
           LAN based encryption schemes (Virtual Private Networks)  or
           connection protocols such as PPTP" (I do not see this as  a
           viable solution for their  current target market, which  is
           firms  needing  to  centralize  IT  staff while maintaining
           de-centralized systems.)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH