[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45BC1DCC.6080701@aim.com>
Date: Sat, 27 Jan 2007 22:51:40 -0500
From: Rage Coder <ragecoder@....com>
To: need4angel@...mail.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows logoff bug possible security vulnerability and exploit.
I have used te UPHC service, and it helps some. It does seem to reduce
the frequency at which the problem occurs. However, I still have the
problem with it. When I check the event viewer with UPHC installed, I
get messages that it remaps the registry and some other stuff, but some
processes from a previous logon continue to run under the account it was
run as in the same 'session' as the current logon, and at times appear
on the desktop as a window or in the system tray as an icon.
R.C.
need4angel@...mail.com wrote:
> Dear Rage Coder,
>
> I think this is a now problem, see Microsoft knowledge base article
> 837115:
> http://support.microsoft.com/kb/837115
>
> Microsoft recommend to use "User Profile Hive Cleanup Service":
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
>
>
> Can you tel me of this helps solving your problem?
>
> Greetz
> Bart
>
> Rage Coder wrote:
>> The problem only occurs at times. To reproduce the problem, I just
>> use the computer normally, and at each logon check the event viewer
>> and running processes to see if a profile unload failed. I don't
>> have any special terminal software or other logon software installed.
>>
>> I find that if I wait for a little bit after logging off before
>> logging on again, no running programs from the previous logon are
>> present, but if I log on just after logging off, they will be if the
>> profile unload fails. That still shouldn't be the case. My brother
>> frequently goes on his account right after I go off; there shouldn't
>> be a time limit to wait in order to prevent this.
>>
>> I noticed an interesting thing about XP and fast user switching which
>> would likely stop this problem. When logging on, the first logged on
>> user is given session ID 0, as shown in task manager, but if I
>> 'switch' to another user, the user is given a different session ID.
>> It seems that no two users are given the same session ID when using
>> fast user switching. But when logging off all users and then back on,
>> it is back to session 0. And if I just log on as a user, log off,
>> and then on as another user without using the 'switch user', they
>> both are session ID 0.
>>
>> The same thing happens when using classic logon and on 2003. All
>> logons are given session ID 0. I did some reading in the platform
>> SDK and some sites about stuff, and it seems that these sessions
>> literally create an isolation. Messages sent from a process in one
>> session ID are not visible to processes in another, windows created
>> only appear on the desktop associated with that session of the
>> process that created the window, etc.
>>
>> Ideally, running classic logon always as session 0 'should' work
>> because ideally when logging of, the processes ran 'should' close, so
>> the next user to log on would have nothing to access. But this does
>> not appear to be the case at all times.
>>
>> A few moments ago I logged in as administrator to do some minor
>> changes, and I ran EPIM to take some notes of things. When I logged
>> of and back on as a regular using, 'explorer.exe',
>> 'essentialpim.exe', 'seamonkey.exe' were still running as
>> Administrator, event viewer showed the usual UserEnv messages, and
>> EPIM appeared on the system tray. My guess is something like this
>> happens:
>>
>> Logon Administrator : Session ID 0
>> Run EssentialPIM : Session ID 0
>> Do some stuff
>> Logoff Administrator : Profile unload fails, a few programs continue
>> running
>> Logon Normal User : Session ID 0
>> Explorer runs, and at startup broadcasts 'TaskbarCreated' message
>> All processes in session 0 get this message, EPIM adds system tray
>> icon like it is supposed to
>>
>> If each logon, even in classic mode, is given a separate session ID
>> as is done in fast user switching, this would not happen, even if the
>> profile unload fails and the programs continue to run waiting for the
>> profile to unload:
>>
>> Logon Administrator : Session ID 0
>> Run EssentialPIM : Session ID 0
>> Do some stuff
>> Logoff Administrator : Profile unload fails, a few programs continue
>> running
>> Logon Normal User : Session ID 1
>> Explorer runs, and at startup broadcasts 'TaskbarCreated' message
>> All processes in session 1 get this message
>> Programs that may continue to run in session 0 are isolated
>>
>> If I log on as administrator again, it would be ok to reuse session
>> 0, but for a given boot, no two users should be assigned the same
>> logon session ID. I.E. if I log on as Normal User again, it would
>> be session 1, etc.
>>
>> This would not prevent a profile from failing to unload, and would
>> not prevent the processes from continuing to run, but it will prevent
>> a user from a later logon from accessing the processes in the current
>> logon.
>
Powered by blists - more mailing lists