It appears that the WTSQuerySessionInformation function within the win32ts module fails to get the correct IPv6 Address value for WTS_INFO_CLASS WTSClientAddress.
When my client's IP was set to something like [fe80::b33f], the returned value of Address was set to (0, 0, 254, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0). Based on a quick glance at the source (win32tsmodule.cpp lines 408-414), it appears it may be a simple mishandling of the null terminator for IPv6 addresses (which should be represented by 16 raw byte values).
To reproduce, I installed Remote Desktop Services on Window 2008 server and RDP'd in from a Windows 8.1 client. While logged on, I attempted to grab the logged in client's IPv6 address with the attached POC.
Log in to post a comment.