[原文]Information disclosure vulnerability in Microsoft Windows 2000 telnet service allows remote attackers to determine the existence of user accounts such as Guest, or log in to the server without specifying the domain name, via a malformed userid.
Microsoft Windows 2000 telnet service存在信息泄露漏洞。远程攻击者可以借助畸形userid确定用户账户如Guest的删存，或登录未指定域名的服务器。
Microsoft has released a patch for Windows 2000 Advanced Server, Professional and Server which rectifies this issue. Microsoft has advised that Windows 2000 Datacenter Server patches are hardware specifice and should be obtained by the original equipment manufacturer. Microsoft Windows 2000 Professional
Microsoft Windows Telnet Service Account Information Disclosure
Remote / Network Access
Loss of Confidentiality
The Microsoft Windows 2000 Telnet service contains a flaw that may allow a malicious user to access accounts which should not be accessible. The issue is triggered when a special set of characters is used as a prefix to the username supplied (in place of a domain name). This flaw causes the service to search the domain, and any trusted domains, for the specified user. It is possible that the flaw may allow an attacker to authenticate from normally inaccessible common domain accounts such as the guest account. This flaw may result in an attacker gaining telnet access via an exposed account as described above.
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.