CITRIX & Microsoft Windows Terminal Services False IP Address Vulnerability

From: Pedro Quintanilha (PQuintanilhaat_private)
Date: Wed Nov 21 2001 - 03:43:52 PST

Next message: Linux Mandrake Security Team: "MDKSA-2001:087 - expect update"

Previous message: Thomas Reinke: "Re: IBM AS/400 HTTP Server '/' attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Like MS Terminal Services, CITRIX Metaframe 1.8 (and other versions, I
suppose) also only logs the IP informed by the client.

The log, made on Windows NT Event Log, looks like this:


========================================================================
Time: Wed Nov 21 09:37:00 2001
User: MARCUS   Agent: metaframe2
Source: Security   ID: 528   Type: Success Audit
Successful Logon:
	User Name:	MARCUS
	Domain:		NTDOMAIN
	Logon ID:		(0x2,0x2959446E)
	Logon Type:	2
	Logon Process:	User32  
	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
	Workstation Name:	WTS2
	WinStation:	ICA-tcp#245
	Session ID:	245
	Client Name:	STATION2
	Client Address:	192.168.0.44
========================================================================


In a incident investigation this is a problem for trace-back the
suspects.


_________________________________
Pedro Quintanilha
Segurança da Informação
Editora Abril s/a
+55-11-3037-4297
pquintanilhaat_private

Next message: Linux Mandrake Security Team: "MDKSA-2001:087 - expect update"
Previous message: Thomas Reinke: "Re: IBM AS/400 HTTP Server '/' attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 18:03:41 PST