{"vuid":"VU#573155","idnumber":"573155","name":"Microsoft Windows 2000 Telnet Service searches all trusted domains for user accounts","keywords":["Microsoft Windows 2000","telnet service","trusted domains","crafted username","guest account","MS01-031","MS01-026"],"overview":"The Microsoft Windows 2000 Telnet Service contains a vulnerability that allows remote attackers to log in using domain accounts without providing a specific domain name.","clean_desc":"The Microsoft Windows 2000 Telnet Service allows users to establish connections using either local accounts or Windows domain accounts. Connections made using a domain account require a username of the form \"domain\\user\" to distinguish them from local accounts. The Telnet Service contains an access control vulnerability that causes the server to search all trusted domains for a matching domain account when the \"domain\" portion of the username contains a certain wildcard value. Once a matching domain account is found, the user must provide a correct password to gain access. This vulnerability requires the attacker to provide a correct password, so the most likely accounts to be targeted are those that contain a well-known username and default password. For example, if any of the domains trusted by the server contain an enabled Guest account with a default (null) password, the Telnet Service will use that account to log the user in as \"Domain\\Guest\".","impact":"This vulnerability allows remote users to log in using a domain account without fully specifying the domain. This may result in either unauthorized terminal access or information leakage.","resolution":"Apply a patch from your vendor Microsoft has released a patch for this vulnerability; for further information, please consult the systems affected section below.","workarounds":"Disable Telnet Service Sites that do not require the Windows 2000 Telnet Service may disable it to prevent exploitation of this vulnerability.","sysaffected":"","thanks":"","author":"This document was written by Jeffrey P. Lanza and is based on information provided by Microsoft.","public":["http://www.kb.cert.org/vuls/id/137544","http://www.microsoft.com/technet/security/bulletin/MS01-031.asp","http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30508","http://www.securityfocus.com/bid/2847"],"cveids":["CVE-2001-0347"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-06-12T20:13:10Z","publicdate":"2001-06-07T00:00:00Z","datefirstpublished":"2001-09-18T22:15:36Z","dateupdated":"2001-09-18T23:27:01Z","revision":18,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"10","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"4","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"10.125","cam_scorecurrentwidelyknown":"11.8125","cam_scorecurrentwidelyknownexploited":"15.1875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":10.125,"vulnote":null}