[23221] in bugtraq

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

CITRIX & Microsoft Windows Terminal Services False IP Address Vulnerability

daemon@ATHENA.MIT.EDU (Pedro Quintanilha)
Wed Nov 21 21:04:23 2001

Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Date: Wed, 21 Nov 2001 09:43:52 -0200
Message-ID: <50CD784089E8B04A8F57C51AB16C93D71A7D7F@EXNEA01.gabril.com.br>
From: "Pedro Quintanilha" <PQuintanilha@abril.com.br>
To: <vuldb@securityfocus.com>
Cc: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit



Like MS Terminal Services, CITRIX Metaframe 1.8 (and other versions, I
suppose) also only logs the IP informed by the client.

The log, made on Windows NT Event Log, looks like this:


========================================================================
Time: Wed Nov 21 09:37:00 2001
User: MARCUS   Agent: metaframe2
Source: Security   ID: 528   Type: Success Audit
Successful Logon:
	User Name:	MARCUS
	Domain:		NTDOMAIN
	Logon ID:		(0x2,0x2959446E)
	Logon Type:	2
	Logon Process:	User32  
	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
	Workstation Name:	WTS2
	WinStation:	ICA-tcp#245
	Session ID:	245
	Client Name:	STATION2
	Client Address:	192.168.0.44
========================================================================


In a incident investigation this is a problem for trace-back the
suspects.


_________________________________
Pedro Quintanilha
Segurança da Informação
Editora Abril s/a
+55-11-3037-4297
pquintanilha@abril.com.br

home	help	back	first	fref	pref	prev	next	nref	lref	last	post