lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY130-F9B93E463717BBCA75316690AD0@phx.gbl>
Date: Tue, 23 Jan 2007 13:28:13 +0000
From: "Bart ...." <need4angel@...mail.com>
To: ragecoder@....com
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows logoff bug possible security vulnerability and exploit.

Dear Rage Coder,

I think this is a now problem, see Microsoft knowledge base article 837115:
http://support.microsoft.com/kb/837115

Microsoft recommend to use "User Profile Hive Cleanup Service":
http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Can you tel me of this helps solving your problem?

Greetz
Bart

Rage Coder wrote:
>The problem only occurs at times.  To reproduce the problem, I just use the 
>computer normally, and at each logon check the event viewer and running 
>processes to see if a profile unload failed.  I don't have any special 
>terminal software or other logon software installed.
>
>I find that if I wait for a little bit after logging off before logging on 
>again, no running programs from the previous logon are present, but if I 
>log on just after logging off, they will be if the profile unload fails.  
>That still shouldn't be the case.  My brother frequently goes on his 
>account right after I go off; there shouldn't be a time limit to wait in 
>order to prevent this.
>
>I noticed an interesting thing about XP and fast user switching which would 
>likely stop this problem.  When logging on, the first logged on user is 
>given session ID 0, as shown in task manager, but if I 'switch' to another 
>user, the user is given a different session ID.  It seems that no two users 
>are given the same session ID when using fast user switching. But when 
>logging off all users and then back on, it is back to session 0.  And if I 
>just log on as a user, log off, and then on as another user without using 
>the 'switch user', they both are session ID 0.
>
>The same thing happens when using classic logon and on 2003.  All logons 
>are given session ID 0.  I did some reading in the platform SDK and some 
>sites about stuff, and it seems that these sessions literally create an 
>isolation.  Messages sent from a process in one session ID are not visible 
>to processes in another, windows created only appear on the desktop 
>associated with that session of the process that created the window, etc.
>
>Ideally, running classic logon always as session 0 'should' work because 
>ideally when logging of, the processes ran 'should' close, so the next user 
>to log on would have nothing to access.  But this does not appear to be the 
>case at all times.
>
>A few moments ago I logged in as administrator to do some minor changes, 
>and I ran EPIM to take some notes of things.  When I logged of and back on 
>as a regular using, 'explorer.exe', 'essentialpim.exe', 'seamonkey.exe' 
>were still running as Administrator, event viewer showed the usual UserEnv 
>messages, and EPIM appeared on the system tray.  My guess is something like 
>this happens:
>
>Logon Administrator : Session ID 0
>Run EssentialPIM : Session ID 0
>Do some stuff
>Logoff Administrator : Profile unload fails, a few programs continue 
>running
>Logon Normal User : Session ID 0
>Explorer runs, and at startup broadcasts 'TaskbarCreated' message
>All processes in session 0 get this message, EPIM adds system tray icon 
>like it is supposed to
>
>If each logon, even in classic mode, is given a separate session ID as is 
>done in fast user switching, this would not happen, even if the profile 
>unload fails and the programs continue to run waiting for the profile to 
>unload:
>
>Logon Administrator : Session ID 0
>Run EssentialPIM : Session ID 0
>Do some stuff
>Logoff Administrator : Profile unload fails, a few programs continue 
>running
>Logon Normal User : Session ID 1
>Explorer runs, and at startup broadcasts 'TaskbarCreated' message
>All processes in session 1 get this message
>Programs that may continue to run in session 0 are isolated
>
>If I log on as administrator again, it would be ok to reuse session 0, but 
>for a given boot, no two users should be assigned the same logon session 
>ID.  I.E.  if I log on as Normal User again, it would be session 1,  etc.
>
>This would not prevent a profile from failing to unload, and would not 
>prevent the processes from continuing to run, but it will prevent a user 
>from a later logon from accessing the processes in the current logon.
>
>3APA3A@...URITY.NNOV.RU wrote:
>>Dear Rage Coder,
>>
>>  I've seen unloaded profiles for many times, but I never saw application
>>  still  running  after  logoff.  Profile  itself doesn't create security
>>  vulnerability, since it can not be accessed by another user.
>>
>>  What do you use to reproduce this vulnerability?
>>
>>  Are  you  sure  you  do  not  use some different software which affects
>>  logon/logoff process, e.g. 3rd party terminal software or some security
>>  enhancement?

_________________________________________________________________
Valentine’s Day -- Shop for gifts that spell L-O-V-E at MSN Shopping 
http://shopping.msn.com/content/shp/?ctId=8323,ptnrid=37,ptnrdata=24095&tcode=wlmtagline

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ