lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 27 Jan 2007 22:51:40 -0500
From: Rage Coder <ragecoder@....com>
To: need4angel@...mail.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows logoff bug possible security vulnerability and exploit.

I have used te UPHC service, and it helps some.  It does seem to reduce 
the frequency at which the problem occurs.  However, I still have the 
problem with it.  When I check the event viewer with UPHC installed,  I 
get messages that it remaps the registry and some other stuff, but some 
processes from a previous logon continue to run under the account it was 
run as in the same 'session' as the current logon, and at times appear 
on the desktop as a window or in the system tray as an icon.

R.C.



need4angel@...mail.com wrote:
> Dear Rage Coder,
>
> I think this is a now problem, see Microsoft knowledge base article 
> 837115:
> http://support.microsoft.com/kb/837115
>
> Microsoft recommend to use "User Profile Hive Cleanup Service":
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en 
>
>
> Can you tel me of this helps solving your problem?
>
> Greetz
> Bart
>
> Rage Coder wrote:
>> The problem only occurs at times.  To reproduce the problem, I just 
>> use the computer normally, and at each logon check the event viewer 
>> and running processes to see if a profile unload failed.  I don't 
>> have any special terminal software or other logon software installed.
>>
>> I find that if I wait for a little bit after logging off before 
>> logging on again, no running programs from the previous logon are 
>> present, but if I log on just after logging off, they will be if the 
>> profile unload fails.  That still shouldn't be the case.  My brother 
>> frequently goes on his account right after I go off; there shouldn't 
>> be a time limit to wait in order to prevent this.
>>
>> I noticed an interesting thing about XP and fast user switching which 
>> would likely stop this problem.  When logging on, the first logged on 
>> user is given session ID 0, as shown in task manager, but if I 
>> 'switch' to another user, the user is given a different session ID.  
>> It seems that no two users are given the same session ID when using 
>> fast user switching. But when logging off all users and then back on, 
>> it is back to session 0.  And if I just log on as a user, log off, 
>> and then on as another user without using the 'switch user', they 
>> both are session ID 0.
>>
>> The same thing happens when using classic logon and on 2003.  All 
>> logons are given session ID 0.  I did some reading in the platform 
>> SDK and some sites about stuff, and it seems that these sessions 
>> literally create an isolation.  Messages sent from a process in one 
>> session ID are not visible to processes in another, windows created 
>> only appear on the desktop associated with that session of the 
>> process that created the window, etc.
>>
>> Ideally, running classic logon always as session 0 'should' work 
>> because ideally when logging of, the processes ran 'should' close, so 
>> the next user to log on would have nothing to access.  But this does 
>> not appear to be the case at all times.
>>
>> A few moments ago I logged in as administrator to do some minor 
>> changes, and I ran EPIM to take some notes of things.  When I logged 
>> of and back on as a regular using, 'explorer.exe', 
>> 'essentialpim.exe', 'seamonkey.exe' were still running as 
>> Administrator, event viewer showed the usual UserEnv messages, and 
>> EPIM appeared on the system tray.  My guess is something like this 
>> happens:
>>
>> Logon Administrator : Session ID 0
>> Run EssentialPIM : Session ID 0
>> Do some stuff
>> Logoff Administrator : Profile unload fails, a few programs continue 
>> running
>> Logon Normal User : Session ID 0
>> Explorer runs, and at startup broadcasts 'TaskbarCreated' message
>> All processes in session 0 get this message, EPIM adds system tray 
>> icon like it is supposed to
>>
>> If each logon, even in classic mode, is given a separate session ID 
>> as is done in fast user switching, this would not happen, even if the 
>> profile unload fails and the programs continue to run waiting for the 
>> profile to unload:
>>
>> Logon Administrator : Session ID 0
>> Run EssentialPIM : Session ID 0
>> Do some stuff
>> Logoff Administrator : Profile unload fails, a few programs continue 
>> running
>> Logon Normal User : Session ID 1
>> Explorer runs, and at startup broadcasts 'TaskbarCreated' message
>> All processes in session 1 get this message
>> Programs that may continue to run in session 0 are isolated
>>
>> If I log on as administrator again, it would be ok to reuse session 
>> 0, but for a given boot, no two users should be assigned the same 
>> logon session ID.  I.E.  if I log on as Normal User again, it would 
>> be session 1,  etc.
>>
>> This would not prevent a profile from failing to unload, and would 
>> not prevent the processes from continuing to run, but it will prevent 
>> a user from a later logon from accessing the processes in the current 
>> logon.
>

Powered by blists - more mailing lists