Re: Xato Advisory: Win2k/XP Terminal Services IP Spoofing
From: sozni (sozni@XATO.NET)Date: 11/21/01
- Previous message: Russ: "Alert: MS SQL worm"
- In reply to: Woodrick, Ed: "Re: Xato Advisory: Win2k/XP Terminal Services IP Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <NTBUGTRAQ%2001112313520077@LISTSERV.NTBUGTRAQ.COM> Date: Wed, 21 Nov 2001 10:59:54 GMT From: sozni <sozni@XATO.NET> Subject: Re: Xato Advisory: Win2k/XP Terminal Services IP Spoofing To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I wanted to clarify some points brought up here:
On Tue, 20 Nov 2001 17:02:36 -0500, Woodrick, Ed wrote:
>I believe that this is somehow related to another bug. When a user
>logs
>on, it is possible for another user to hit keys on the keyboard or
>even
>move the cursor and make mouse clicks. This can lead to disastrous
>loss
>of data.
I wouldn't call that a bug, it is the remote control feature and can
be disabled (and is disabled by default). Regardless, it has nothing
to do with the IP address of the client.
>OTOH, the field is labeled "Client Address" It is not labeled
>"Address
>of the client or the last NAT that the client goes through" In my
>book,
>to change the value of the field would make it incorrect.
Nonetheless, it should use an address that is correct for the
internet. A private internal address is not a valid IP address on
the internet. If the terminal server was inside the same network,
that would be ok. If the client is connecting to a public terminal
server, it should use the same IP address used in the TCP/IP stack.
Can you imagine if your IIS web logs showed a bunch of addresses like
192.168.0.x and 10.x.x.x for everyone who connected from a NAT'd IP
address? Such logging would be completely useless, prone to abuse,
not to mention, exposes information about the internal network
structure of the client.
>While I'm sure that the client address can be spoofed by modifying
>the
>Terminal Server Client, as far as I can tell, the current client can
>not
>be made to spoof the address
The client does not need to be modified to spoof the IP address. It
will use whatever IP address is assigned to your nic. If you
configure your router correctly, you can use almost any IP address
you want. Therefore, the current client indeed can be used to spoof
the address.
> therefore I say that the function is performing EXACTLY as
> specified.
Which is precisely the problem. The server asks the client for its
IP address and the client returns EXACTLY that. However, that exact
IP address doesn't help the server any and defeats the purpose of
having a NAT'd connection. Its like asking someone where they are
and they respond with "I am right here." Sure, this person is
exactly responding to the question with the location as they see it,
but where exactly is "here?"
======================================
Delivery co-sponsored by Trend Micro, Inc.
======================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?siS&bi$5&ul=http://www.a
ntivirus.com/smex2000_rebate
- Previous message: Russ: "Alert: MS SQL worm"
- In reply to: Woodrick, Ed: "Re: Xato Advisory: Win2k/XP Terminal Services IP Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
