back to article Are you running a Telnet server on Windows? Oh thank God. THANK GOD

It's that time of the month again, when Microsoft scrambles to plaster over the latest crop of vulnerabilities in Windows and Internet Explorer. The first Patch Tuesday of 2015 brings eight security updates, one of which is rated Critical in severity, while the rest are rated Important. The Critical patch (MS15-002) addresses …

  1. Flocke Kroes Silver badge

    Please help a penguin

    I thought the purpose of telnet was remote code execution, with the option to send unencrypted passwords to local network sniffers. I use it to talk to embedded systems too dumb for dropbear (trimmed ssh) over a dedicated network cable. The idea that telnet could be secured or required a security patch seemed strange, so I tried looking up vulnerability. Microsoft's knowledge base tells me 'server error in / application'.

    Can anyone explain what is going on?

    1. bob, mon!

      Re: Please help a penguin

      It probably allows some sort of attack without needing to know an account/password. Maybe a DOS (heh) or ability to install some malware.

    2. Philip Storry

      Re: Please help a penguin

      You're right, telnet has no place on modern systems unless you have a need to leak credentials.

      The actual bug seems to be that the telnet server on Windows doesn't validate input. Specially crafted strings can cause remote code execution - I assume that this means before the login process of the telnet session, and therefore running under the same account as the telnet service. But details from Microsoft are rather sparse here, so I have to admit I'm guessing.

      Telnet isn't used much on Windows boxes. It's as unsecure on Windows as it is on *NIX boxes, and was only introduced to provide POSIX compatibility (if I recall correctly).

      At the time, it was difficult if not impossible to administer a Windows box from the command line unless you'd written one heck of a lot of VB scripts, and most people therefore didn't bother with it when they could just use an RDP session instead...

      Powershell has changed that somewhat, but it doesn't use telnet - it has its own remote connection methods (called "remoting" IIRC) that create an authenticated secure tunnel to the target machine, more like SSH (except predictably more fiddly and less useful).

      So basically, telnet's a historical curiosity on most Windows machines, often only enabled because a badly architected bit of software has decided to use it... This vulnerability is like finding out that the British Army's cannon carriages can't be harnessed to some breeds of horse. ;-)

      1. Robert Helpmann??
        Childcatcher

        Re: Please help a penguin

        Powershell has changed that somewhat, but it doesn't use telnet - it has its own remote connection methods (called "remoting" IIRC) that create an authenticated secure tunnel to the target machine, more like SSH (except predictably more fiddly and less useful).

        PowerShell uses the Windows Remote Management service to manage communication and authentication. One of its benefits is that it provides a single, consistent(ish) framework from which to work as opposed to the collection of third part tools many of us who do a lot of Windows scripting have built up over the years. It is a pain to have to relearn command line scripting, though. As far as your comparison with SSH, your mileage may vary, but I haven't had problems with either.

        Here's a link to a decent article concerning PowerShell Remoting.

      2. MacroRodent

        Re: Please help a penguin

        You're right, telnet has no place on modern systems unless you have a need to leak credentials.

        Telnet is quite OK in a closed network where you have no need to secure communications. In this case its simplicity and low overhead is an asset. But naturally no telnet port should be open to the internet, not even to the company intranet.

        1. Anonymous Coward
          Anonymous Coward

          Re: Please help a penguin

          Tell that to the printer makers.

        2. Anonymous Coward
          Anonymous Coward

          Re: Please help a penguin

          >Telnet is quite OK in a closed network where you have no need to secure communications. In this case its

          >simplicity and low overhead is an asset.

          Indeed. Unfortunately paranoia is the is the rule these days and people seem to think a password sniffer is lurking under every router even on an isolated and controlled network.

          Also telnet as a *client* is *extremely* useful as it allows debugging and checking of text based network protocols such as FTP, SMTP, NNTP, HTTP etc and the use of online muds & talkers. Anyone who says the telnet client no longer has any use has clearly never done any network development or admin.

        3. Michael Wojcik Silver badge

          Re: Please help a penguin

          Telnet is quite OK in a closed network where you have no need to secure communications.

          Or if you secure it. Telnet over TLS, Telnet with STARTTLS, Telnet with Kerberos authentication, Telnet with SRP, Telnet over point-to-point VPN...

          Hell, you can run Telnet over an SSH tunnel, which is damned useful if you need any of the Telnet features that SSH doesn't provide, such as TN3270.

          Certainly there are infelicities with the Telnet protocol. It's a right pain to implement (I've done two Telnet server implementations), with its rather ornate negotiation process and in-band signalling. But it's very flexible and capable of many things that aren't part of SSH (and while they can be bolted on by adding another protocol layer, there's no standard for them).

          And, of course, as boltar (I think) mentioned, using the telnet client as a quick-and-dirty TCP bytestream client for development and testing purposes is a time-honored tradition. Sure, you can do the same with eg netcat, but telnet is widely available.

          (The willingness of Reg commentators to boldly display their ignorance in threads like this would be impressive, if it weren't so common everywhere online.)

      3. Michael Wojcik Silver badge

        Re: Please help a penguin

        You're right, telnet has no place on modern systems unless you have a need to leak credentials.

        What rubbish.

        There are plenty of cryptographically-secured versions of telnet, including two different TLS modes (Telnet-over-TLS and STARTTLS) and SRP. SRP is considerably more secure than SSH under some threat models, since it uses a ZKP proof-of-identity, and TLS can be more secure than SSH under some threat models.

        And then, of course, there are those "modern systems" that use TN3270 and TN5250...

    3. diodesign (Written by Reg staff) Silver badge

      Re: Please help a penguin

      It's here.

      Imagine you're not insane, and you're running a Telnet service on Windows so some equipment can communicate with software running on the server over port 23, or a user can connect and request information rather than run commands. You can change the command interpreter to something non-cmd.exe - anything you like.

      Now along comes a bug that allows you to execute arbitrary code via the server, even though you configured it to be a controlled environment. I'm talking legacy stuff here.

      Alternatively, according to Microsoft, "if you use NTLM authentication, then your user name and password are encrypted." But commands / data sent over are in plaintext and can be modified by an attacker.

      It's not a world-ending bug; it's just wryly amusing that an RCE in Telnet has to be fixed in 2015.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Please help a penguin

        Kinda like flaws in Bash etc that have been there unknowingly for 20+ years

        1. Flocke Kroes Silver badge

          Very different from shellshock

          There were cgi-scripts written in bash. The most obvious one converted man pages to html. Doing a Google search for almost any unix command would give a list of servers hosting man-pages and half of them would be using bash. The barrier to entry (knowledge of bash and cgi) was so low that there were thousands of people playing with it. IIRC within two days over 44000 different attack scripts had been detected - and that is just the people foolish enough to leave a trail across the internet. What is more, http was not the only service using bash in an exploitable manner.

          AFAIK, there are nothing like the number of target machines for this Windows/telnet exploit. I would hope that the majority of people able to enable telnet on a Windows machine know why it is a bad idea, would only enable it as a last resort, would prevent access to it from the internet and not advertise the service so it could be found with a simple web search. Even then, it looks like exploiting the vulnerability requires considerably more than noddy level understanding bash and cgi.

          Many penguinistas used to think that it was safe to allow remote execution of a carefully written bash script. No-one with a clue ever trusted telnet - which is why I found the idea of a security patch for it so surprising.

    4. Phil O'Sophical Silver badge

      Re: Please help a penguin

      The idea that telnet could be secured

      Well, while it's not the worlds greatest protocol, it can be secured, "telnet -x" will negotiate an authenticated and encrypted connection. I've never seen anyone do it, though.

    5. Anonymous Coward
      Anonymous Coward

      Re: Please help a penguin

      "Are you running a Telnet server on Windows"

      God no. That's what Powershell is for. It's like an advanced *NIX shell such as PASH, but more powerful and more secure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Please help a penguin

        "It's like an advanced *NIX shell such as PASH"

        You keep repeating this dross, but what is PASH and who uses it? I'm a 'nix sysadmin but I have no idea what you are on about.

        1. Anonymous Coward
          Anonymous Coward

          Re: Please help a penguin

          "You keep repeating this dross, but what is PASH and who uses it? I'm a 'nix sysadmin but I have no idea what you are on about.

          More commonly known as PSH. http://gnp.github.io/psh/

  2. Anonymous Coward
    Mushroom

    Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

    Knowing which day of the month it was when reaching the office this morning I went straight up to Windows Server Update Services to see what's up without bothering read my morning news and I very genuinely thought that something was borked or that perhaps Microsoft forgot to roll out several packages when the typical barrage of "Cumulative Security Update for Internet Explorer 8/9/10/11 for Windows x86/64" was absent from the list of updates pending approval.

    I'm shocked. Shocked I say!

    1. Anonymous Coward
      Anonymous Coward

      Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

      Well I hope that's all you did and didn't actually update anything. Unless you're one of the guinea pigs others rely on to find the bugs in the update before updating their own systems.

      Only nine flaws in flash? Either they mean since the day before yesterday or they're saving some for later. If it's the latter they needn't bother, they'll find more soon enough.

      1. Anonymous Coward
        Anonymous Coward

        Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

        With two vulnerabilites already disclosed and POCs available "thanks" to Google? When and if patch a system depends on what risks are more acceptable to you - rolling back a patch or get a system compromised....

        1. Anonymous Coward
          Anonymous Coward

          Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

          With two vulnerabilites already disclosed and POCs available "thanks" to Google

          I know, it's disgusting that it's come to this - the vendors should move faster fixing their flaws.

          1. Danny 14

            Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

            isn't it nice that google reports faults for MS to fix but blatantly say they aren't going to fix WebView exploits (even though it can be put into android 5)?

          2. BristolBachelor Gold badge
            Facepalm

            Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

            "I know, it's disgusting that it's come to this - the vendors should move faster fixing their flaws."

            MS probably had fixed the flaws, but were just waiting for the right day of the month to release them (WTF!?).

            I'm sure it sucks to be kicked in the nuts by Google, but hopefully it means that the next fixes won't take longer than 90 days to be released. As an aside how long do the bad guys sit on a bug before expliting it?

        2. Anonymous Coward
          Anonymous Coward

          Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

          >rolling back a patch or get a system compromised

          It is not unheard of for AVs to brick an updated system not the fault of MS but that's irrelevant, it happens.

          Also if someone relies on MS to secure their environment then maybe they shouldn't be a sysadmin

          I would have been slightly impressed if you'd mentioned applying the updates on a test environment first but apparently that doesn't seem to have crossed your mind, update and be damned seems to be the order of the day. Blindly applying patches out of panic is never a good policy.

  3. jason 7

    Adobe Air....

    ...anyone?

    Haven't installed this for years and the world still keep turning. Am I missing anything?

    1. Michael Wojcik Silver badge

      Re: Adobe Air....

      I had to install it on one of my machines for something, years ago. Removed it the other day when I noticed it was still there and couldn't remember what required it.

      No doubt there are some applications out there, just as for Silverlight and the like, but the HTML/CSS/Javascript hegemony seems to have pretty much killed the other RIA runtimes.

  4. Anonymous Coward
    Anonymous Coward

    Running telnet will be the norm soon if David Camoron has his way.

    No encryption on anything that could be used for communication.

  5. Alan J. Wylie

    Telnet server open to the Internet

    http://www.blinkenlights.nl/services.html

    telnet towel.blinkenlights.nl

    telnet towel.blinkenlights.nl 666

  6. JustNiz

    More evidence that Microsoft have finally caught up to the 1980's

    I hear they're finally going to implement multiple desktops in the next Windows.

    At this new increased rate of progress they might even get rid of the registry as soon as 2035.

    1. Ken Hagan Gold badge

      Re: More evidence that Microsoft have finally caught up to the 1980's

      Poor choice of target, since NT 3.1 had multiple desktops back in 1993. The fact that MS have never bothered to make it a standard feature of their shell simply reflects how useless the feature is. (Multiple monitors are useful. Multiple desktops on a single monitor are no more useful than the ability to minimise a window. I tend to switch the feature off on my Linux desktops, since for me the only effect of leaving it on is that I can have all my screen contents disappear if I accidentally hit the wrong key combination.)

      1. PC Paul

        Re: More evidence that Microsoft have finally caught up to the 1980's

        I regularly use a dual monitor setup with four desktops (for which I use Desktops.exe from Sysinternals - it's simple, free and it works).

        It's really useful to be able to do a complete context switch from a sysadmin desktop to a development desktop to a testing desktop to a writing reports desktop in one click, with a pile of windows open on each.

        More screen space = better.

  7. Michael Wojcik Silver badge

    Telnet server for Windows

    ... has been available since NT 4, if memory serves, as an optional Windows component. It certainly wasn't introduced with Vista. It might have been part of Services for UNIX in earlier Windows releases.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like