A severe vulnerability affecting Microsoft Telnet Server has been uncovered, allowing remote attackers to completely bypass authentication and gain administrator access without valid credentials. Detailed in a report by Hacker Fantastic, the flaw — involving the Microsoft Telnet Authentication Protocol (MS-TNAP) — represents a major security threat to legacy Windows systems, with no official patch currently available.
According to the report, “a critical 0-click remote authentication bypass vulnerability in Microsoft Telnet Server allows attackers to gain access as any user, including Administrator, without requiring valid credentials.” The vulnerability arises from a misconfiguration in how the Telnet server handles NTLM authentication processes.
The flaw impacts a wide range of Microsoft operating systems, including:
- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
The vulnerability stems from the Telnet server improperly initializing NTLM authentication credentials and incorrectly handling mutual authentication. Specifically, the server sets vulnerable SSPI flags during the authentication handshake:
“The server initializes NTLM security with SECPKG_CRED_BOTH flag” and “uses AcceptSecurityContext() with ASC_REQ_DELEGATE and ASC_REQ_MUTUAL_AUTH flags,” the report explains.
This faulty configuration enables a dangerous inversion of the authentication relationship — making the server authenticate itself to the client, instead of verifying the client’s identity.
The proof-of-concept (PoC) exploit released by Hacker Fantastic leverages this vulnerability through the following steps:
- Requesting mutual authentication with specific flags.
- Using a NULL password for the target Administrator account.
- Manipulating SSPI flags to trigger the server’s authentication logic flaw.
- Sending a modified NTLM Type 3 message that deceives the server.
- Achieving full authentication bypass, ultimately opening a Telnet session with Administrator privileges.
As noted, “An attacker can bypass authentication to any account on the host by sending mutual authentication packets and exploiting the SSPI configuration to bypass the server-side authentication.“
The released PoC, telnetbypass.exe, targets localhost or domain-joined hosts and requires the Telnet Server service to be running.
Alarmingly, “there is currently no patch for this vulnerability.” As a result, organizations are urged to take immediate protective measures:
- Disable the Telnet Server service on all systems.
- Transition to more secure alternatives like SSH for remote management.
- Implement network-level filtering to restrict Telnet access only to trusted IPs and networks.
- Use application control policies to block unauthorized Telnet clients.
Importantly, to minimize the risk of mass exploitation, “the source code for this exploit has been withheld.” Only a binary PoC has been released to the public at this time.
Related Posts:
???? Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
