Zero-Click NTLM Authentication Bypass in Telnet Servers – No Patch Available Yet

A critical zero-click NTLM relay vulnerability is affecting Windows Telnet servers, allowing unauthenticated attackers to execute arbitrary code remotely without user interaction. A Proof-of-Concept (PoC) exploit has been publicly released, heightening the urgency, while no official patch from Microsoft is available at this point. The flaw impacts systems where the Telnet service is exposed and enabled.

Severity Level: Critical

VULNERABILITY DETAILS:

1. Type: 0-click remote authentication bypass
2. Affected Component: Microsoft Telnet Server
3. Affected Protocol: Microsoft Telnet Authentication Protocol (MS-TNAP) via NTLM
4. CVE ID: Not yet assigned as of publication
5. Impacted Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2
6. Impact: Allows attackers to gain full administrative privileges remotely without credentials
7. Exploit Availability: Binary PoC (telnetbypass.exe) released. No source code yet.

ROOT CAUSE:

The vulnerability stems from a critical misconfiguration in how the Telnet server initializes and processes NTLM-based authentication. Specifically:

1. Improper use of NTLM SSPI flags:
   The server initializes NTLM using SECPKG_CRED_BOTH — allowing it to act as both client and server.
   It invokes AcceptSecurityContext() using ASC_REQ_DELEGATE and ASC_REQ_MUTUAL_AUTH.
2. Inversion of authentication logic:
   The Telnet server ends up authenticating itself to the attacker, instead of verifying the attacker’s identity.
   This leads to an authentication bypass where the attacker appears trusted.
3. Broken Mutual Authentication:
   The server trusts a modified NTLM message crafted by the attacker and grants access.

EXPLOITATION:

Outlined by Hacker Fantastic, the exploitation chain proceeds as follows:

1. Mutual Authentication Request:
   The attacker initiates an NTLM handshake requesting mutual authentication.
2. Fake NTLM Message:
   Sends a NULL password and spoofed NTLM Type 3 message.
3. Abuse of SSPI Flags:
   Manipulates AcceptSecurityContext() to bypass client verification.
4. Access Gained:
   The server completes the handshake believing the client (attacker) is valid.
   The result: a Telnet session with Administrator-level access, without any valid credentials.
5. PoC Usage:
   The exploit works locally or on domain-joined hosts.
   Requires Telnet Server service to be running.
   Only the binary was released to minimize widespread abuse.

Recommendations:

1. Disable the Telnet Server service on all systems.
2. Transition to more secure alternatives like SSH for remote management.
3. Implement network-level filtering to restrict Telnet access only to trusted IPs and networks.
4. Use application control policies to block unauthorized Telnet clients.

Source:

• https://securityonline.info/0-click-ntlm-authentication-bypass-hits-microsoft-telnet-server-poc-releases-no-patch/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.