lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1906051202.20070118004158@SECURITY.NNOV.RU>
Date: Thu, 18 Jan 2007 00:41:58 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Rage Coder <ragecoder@....com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows logoff bug possible security vulnerability and exploit.

Dear Rage Coder,

 I've seen unloaded profiles for many times, but I never saw application
 still  running  after  logoff.  Profile  itself doesn't create security
 vulnerability, since it can not be accessed by another user.

 What do you use to reproduce this vulnerability?

 Are  you  sure  you  do  not  use some different software which affects
 logon/logoff process, e.g. 3rd party terminal software or some security
 enhancement?

--Wednesday, January 17, 2007, 2:15:27 PM, you wrote to bugtraq@...urityfocus.com:


RC> The security problem I'm discussing occurs when a user profile fails to
RC> unload during logoff.  The event viewer show a profile unload error as a
RC> UserEnv application event, ID 1517 and 1524 on Server 2003.  At times,
RC> if the system is under heavy use and the registry is still being 
RC> accessed, the user profile (registry, etc) will not unload and the 
RC> programs launched by that user will continue to run. This is evident
RC> from task manager, which reveals that the old 'explorer.exe' and other
RC> processes of a previous login are still running. I have also tested this
RC> with the UPHClean utility and the same results have appeared, even 
RC> though the registry gets remapped.  If another user logs on while these
RC> programs are running, the user may be able to access the programs, and
RC> with it the permissions of the user that ran the programs.  Some 
RC> programs are more easy to access than others if they continue to run,
RC> such as those programs that only allow one instance or programs that
RC> reinsert themselves into the system tray.  I still do not think it is
RC> the responsibility of the program to make sure it is on the right 
RC> desktop, but the OS should make sure the program does not 'bounce' from
RC> on user's login session to another.



-- 
~/ZARAZA
http://security.nnov.ru/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ