AOH :: Windows :: WIN4859.HTM

AOH :: Windows :: WIN4859.HTM
Eventlog deception

15th Nov 2001 [SBWID-4859]

COMMAND

	Eventlog deception

SYSTEMS AFFECTED

	 Windows 2000 (All service pack levels) 

	 Windows XP

	

PROBLEM

	Based      on      Xato      Network      Security      advisory      at
	[http://www.xato.net/reference/xato-112001-01.txt] :
	

	Terminal Server records client connection not based on  the  TCP  header
	IP adress,  but  on  the  datagram  of  Remote  Desktop  Protocol  which
	includes client name and IP.
	

	Hence it is possible to fool the logs of the TSE server by modifying  Ip
	value passed on in RDP.

SOLUTION

	Nothing yet.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.