Bugtraq mailing list archives

CITRIX & Microsoft Windows Terminal Services False IP Address Vulnerability

From: "Pedro Quintanilha" <PQuintanilha () abril com br>
Date: Wed, 21 Nov 2001 09:43:52 -0200



Like MS Terminal Services, CITRIX Metaframe 1.8 (and other versions, I
suppose) also only logs the IP informed by the client.

The log, made on Windows NT Event Log, looks like this:


========================================================================
Time: Wed Nov 21 09:37:00 2001
User: MARCUS   Agent: metaframe2
Source: Security   ID: 528   Type: Success Audit
Successful Logon:
        User Name:      MARCUS
        Domain:         NTDOMAIN
        Logon ID:               (0x2,0x2959446E)
        Logon Type:     2
        Logon Process:  User32  
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       WTS2
        WinStation:     ICA-tcp#245
        Session ID:     245
        Client Name:    STATION2
        Client Address: 192.168.0.44
========================================================================


In a incident investigation this is a problem for trace-back the
suspects.


_________________________________
Pedro Quintanilha
Segurança da Informação
Editora Abril s/a
+55-11-3037-4297
pquintanilha () abril com br

Current thread:

CITRIX & Microsoft Windows Terminal Services False IP Address Vulnerability Pedro Quintanilha (Nov 21)