A critical 0-click remote authentication bypass vulnerability in Microsoft Telnet Server that allows attackers to gain access as any user, including Administrator, without requiring valid credentials. The vulnerability exploits a misconfiguration in the NTLM Authentication processes of the Telnet MS-TNAP extension allowing remote unauthenticated attackers to bypass authentication completely.

This repository contains a Proof of Concept (PoC) exploit for a critical authentication bypass vulnerability in Microsoft Telnet Server's implementation of NTLM authentication over MS-TNAP. The vulnerability affects Windows 2000 through Windows Server 2008 R2 and allows complete authentication bypass via manipulation of the mutual authentication process.

The exploit works by tricking the server into validating the client as Administrator without supplying valid credentials, leveraging a fundamental flaw in how the Windows Telnet Server mistakenly handles mutual authentication.

IMPORTANT: There is currently no patch for this vulnerability. System administrators should disable Telnet services immediately on all Microsoft systems.

The vulnerability stems from two critical issues in the telnet server's SSPI configuration:

1. The server initializes NTLM security with SECPKG_CRED_BOTH flag:

   AcquireCredentialsHandle(
       NULL,
       L"NTLM",
       SECPKG_CRED_BOTH,  // Vulnerable flag
       NULL,
       NULL,
       NULL,
       NULL,
       &m_hCredential,
       &tsExpiry
   )

2. The server uses AcceptSecurityContext() with ASC_REQ_DELEGATE and ASC_REQ_MUTUAL_AUTH flags:

   AcceptSecurityContext(
       &m_hCredential,
       ((fDoNTLMAuthFirstTime) ? NULL: &m_hContext),
       &InBuffDesc,
       ASC_REQ_REPLAY_DETECT |
       ASC_REQ_MUTUAL_AUTH |
       ASC_REQ_DELEGATE,  // Vulnerable flags
       SECURITY_NATIVE_DREP,
       &m_hContext,
       &OutBuffDesc,
       &fContextAttr,
       &tsExpiry
   )

This combination allows an attacker to invert the authentication relationship, making the server authenticate itself to the client instead of the other way around, resulting in a complete authentication bypass.

The exploit works by:

1. Requesting mutual authentication with AUTH_SERVER_TO_CLIENT and AUTH_HOW_MUTUAL flags
2. Using NULL password credentials for Administrator account in the client context
3. Setting specific SSPI flags to trigger the vulnerability in NTLM Type 1 message
4. Sending a modified NTLM Type 3 message that appears legitimate to the server
5. Reverses the authentication relationship to authenticate the server with the client for bypass

An attacker can bypass authentication to any account on the host by sending mutual authentication packets and exploiting the SSPI configuration to bypass the server-side authentication.

The PoC exploit is provided as a standalone executable only (no source code) to limit the impact of this vulnerability. Currently, the PoC exploit is configured to work only against localhost or Domain joined hosts in the same domain as the target system:

telnetbypass.exe <target_ip> [port]

• target_ip: IP address of the target Windows Telnet Server
• port: Optional telnet port (default: 23)

telnetbypass.exe 127.0.0.1

The client will prompt "You are about to send your password information to a remote computer in %s zone. This might not be safe. Do you want to send anyway(y/n): ", by sending you will trigger the exploit flow and bypass authentication. This PoC connect to the target, exploit the vulnerability, and give you a telnet session with Administrator privileges.

• Windows target with Telnet Server service running
• Network connectivity to the target telnet port

• Windows 2000
• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2

As there is currently no patch available for this vulnerability, organizations should:

1. Immediately disable the Telnet Server service
2. Replace Telnet with more secure alternatives like SSH
3. Implement network filtering to restrict telnet access to trusted clients and networks
4. Use application control to prevent unauthorized telnet clients from connecting

To allow system administrators time to disable telnet services, the source code for this exploit has been withheld. Only a binary-only PoC has been released at this time.

This PoC is provided for educational and defensive purposes only. The authors are not responsible for any misuse of this information. Use only on systems you have permission to test. This vulnerability was discovered and exploited by Hacker Fantastic, https://hacker.house.

• RFC 2941: Telnet Authentication Option
• [MS-TNAP]: Microsoft Telnet Server Authentication Protocol
• [MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol

These files are available under a Attribution-NonCommercial-NoDerivatives 4.0 International license.