Background
First of all, This is relatively older article, however, it was really interesting for me so I posted today. The problem is that user failed path thru logon from Linux ICA client v10.x to Citrix Presentation server. It is no matter the server is Citrix Presentation server 4.0 and 4.5.The most important thing is whether ICA connection is thru WI4.0 or not.Secondary, we had somewhat change in the specification for ICA file encoding between WI4.0 and WI4.5. In a case of using WI4.0, it is based on S-JIS in JA Platform, WI4.5 is based on UTF-8.Firnally, we supposed that Linux Clinet a.k.a Unicode Client will send UTF-16 data to the server.

By default in a case of ICA connection thru WI, we are using ICA Ticket like magic number rather than actual Domain / User infomation. then it will be conveted to actual Domain / User information properly within the server later. ICA ticket has ‘\’as prefix byte in itself.

Debug Log
Here is an example in a case I met and investigated this.

‘\’ is 0x005C in S-JIS encoding, it is 0x00A5 in UTF-16 encoding. ccticket!RequestCredentialsFromTicker2() has ICA Ticket in UTF-16 encoding in Cliet – Host data structure in the case user fails to logon through WI4.0 to CPS40 HRP03 from Linux10.26 JA client. That measn Linux Client 10.26 JA sends UTF-16 data to CPS40 HRP03. On the other hand, ccticket!RequestCredentialsFromTicker2() will check UTF-16 data comparison to ‘\’, which means, 0x005C(S-JIS) data. therefore, ccticket!RequestCredentialsFromTicker2() never try to convert ICATicket to NTLM authetication data the directly pass them to Gina. so user failed to logon in this scenario.

  • Normal Case
    kd> p
    eax=001134b0 ebx=77b78dba ecx=0011350c edx=00000000 esi=001134b0 edi=0000008e
    eip=67ef323f esp=0285ef00 ebp=0285ef84 iopl=0 nv up ei pl nz na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
    ccticket!RequestCredentialsFromTicket2+0x59:
    001b:67ef323f 6683395c cmp word ptr [ecx],5Ch ds:0023:0011350c=005c
    kd> dw ecx
    0011350c 005c 0035 0034 0033 0046 0042 0046 0034
    0011351c 0036 0032 0032 0036 0045 0043 0046 0041
    0011352c 0035 0000 0075 0073 0065 0072 0030 0030
    0011353c 0000 0033 0046 0031 0030 0030 0041 0032
    0011354c 0042 0031 0030 0046 0033 0034 0042 0000
    0011355c 0000 0000 0000 0000 0000 0000 0000 0000
    0011356c 0000 0000 0000 0000 0000 0000 0000 0000
    0011357c 0000 0000 0000 0000 0000 0000 0000 0000
  • Problem Case
    kd> p
    eax=0011b1e8 ebx=77b78dba ecx=0011b244 edx=00000000 esi=0011b1e8 edi=0000008e
    eip=67ef323f esp=028cef00 ebp=028cef84 iopl=0 nv up ei pl nz ac pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
    ccticket!RequestCredentialsFromTicket2+0x59:
    001b:67ef323f 6683395c cmp word ptr [ecx],5Ch ds:0023:0011b244=00a5
    kd> dw ecx
    0011b244 00a5 0030 0041 0033 0037 0038 0032 0034
    0011b254 0033 0044 0032 0042 0035 0038 0038 0043
    0011b264 0045 0000 0075 0073 0065 0072 0030 0030
    0011b274 0000 0031 0030 0042 0032 0031 0036 0036
    0011b284 0035 0033 0034 0041 0042 0030 0038 0000
    0011b294 0000 0000 0000 0000 0000 0000 0000 0000
    0011b2a4 0000 0000 0000 0000 0000 0000 0000 0000
    0011b2b4 0000 0000 0000 0000 0000 0000 0000 0000
  • Patching Data and Stack
    As following, I configured conditional break point so that debugger patch the binary stored 0x00a5 to 0x005c when WDICA.sys initialize winstation driver credential member in WDICA data structure with the second parameter ICAWdCredentials(), as a result of that, I could become to logon to the CPS4.0 from Linux Clinet v10.x.

3 e f56aa5f6 0001 (0001) WDICA!ICAWdCredentials “kv; dw poi(esp+8)+d;ew poi(esp+8)+d 5c00;dw poi(esp+8)+d;gc”
kd> g
ChildEBP RetAddr Args to Child
f5afe1f0 f569eb44 8183c000 81883000 0000005e WDICA!ICAWdCredentials (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe244 f569f62a e103bfb1 00000000 01000061 WDICA!ProcessIcaPacket+0x436 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe260 f56b371a 00597f41 818b5def 00000040 WDICA!ICAPacket+0x166 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe49c f76ad194 8183c000 00000000 818b5def WDICA!WdRawInput+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe4c0 f51ea2bd 8189619c 00000000 818b5def termdd!IcaRawInput+0x58 (FPO: [Non-Fpo])
f5afe4e4 f76ad194 81e51b68 00000000 818b5def pdcrypt1!PdRawInput+0x279 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe508 f56cb723 81fb1eac 00000000 818b5dee termdd!IcaRawInput+0x58 (FPO: [Non-Fpo])
f5afe52c f76ad194 81a13008 00000000 818b5dee pdrframe!PdRawInput+0x63 (FPO: [Non-Fpo]) (CONV: stdcall)
f5afe550 f5a2dfcb 81f8f2bc 00000000 818b5dec termdd!IcaRawInput+0x58 (FPO: [Non-Fpo])
f5afed90 f76ac265 818b5ca0 00000000 818d8660 TDTCP!TdInputThread+0x371 (FPO: [Non-Fpo])
f5afedac 809418f4 81986008 00000000 00000000 termdd!_IcaDriverThread+0x4d (FPO: [Non-Fpo])
f5afeddc 80887f4a f76ac218 81dce200 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

8188300d a500 4600 3900 4500 4300 3000 3900 3900
8188301d 4400 3000 3800 3500 4600 4200 3000 3200
8188302d 4300 0000 7500 7300 6500 7200 3000 3000
8188303d 0000 4300 4200 4300 3000 3100 4600 3700
8188304d 4400 3900 4100 3200 3500 3500 3400 0000
8188305d 0000 0000 0000 0000 0000 0000 0000 0000
8188306d 0000 0000 0000 0000 0000 0000 0000 0000
8188307d 0000 0000 0000 0000 0000 5400 0002 0000

8188300d 5c00 4600 3900 4500 4300 3000 3900 3900
8188301d 4400 3000 3800 3500 4600 4200 3000 3200
8188302d 4300 0000 7500 7300 6500 7200 3000 3000
8188303d 0000 4300 4200 4300 3000 3100 4600 3700
8188304d 4400 3900 4100 3200 3500 3500 3400 0000
8188305d 0000 0000 0000 0000 0000 0000 0000 0000
8188306d 0000 0000 0000 0000 0000 0000 0000 0000
8188307d 0000 0000 0000 0000 0000 5400 0002 0000

Global Escalation Manager Tokyo
-fb