Unauthenticated Windows CE Telnet Service Vulnerable Configuration

Since this is a Windows CE configuration issue, and not a software vulnerability, I am releasing this information publicly so that software developers can be aware of the issue.

Tonight I stumbled on a quite scary Shodan search which I'd like to share with everyone.

Windows CE Telnet Service

What is the Windows CE Telnet Service?

Apparently Windows CE has a built in telnet service for debugging of applications, as outlined in this MSDN blog post.

Now the truly scary part about all this is that the telnet server has the ability to disable authentication requirements.


 When you do disable the authentication requirements (for debugging purposes only of course), you're greeted with an administrator level command prompt as soon as you connect with telnet.

From there you can perform all sorts of fun things, like restart the device or access any locally stored file - pretty much any command which is typically available at a Windows command line.

Despite the fact that this was only intended for debugging purposes, Shodan found 892 public facing systems with this vulnerability.  Who knows how many thousands more reside behind corporate firewalls, with organizations completely unaware that their devices with embedded Windows are vulnerable to attack.

Vulnerable Windows CE Telnet Services
Clearly, some embedded Windows developers have accidentally left this setting enabled prior to shipping their devices.  One thing which really stands out is that some of the vulnerable systems are KVMs, meaning that should the KVM be compromised, the attacker will have control of all connected systems, and be able to install a keylogger to capture all usernames/passwords.  Since KVMs do not typically have Antivirus installed, this activity may never be noticed.

As I dive deeper into Shodan, I hope to bring more interesting vulnerabilities like this one to light.  Stay tuned!

No comments:

Post a Comment