[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45CF5B56.7090902@aim.com>
Date: Sun, 11 Feb 2007 13:07:18 -0500
From: Rage Coder <RageCoder@....com>
To: bugtraq@...urityfocus.com
Subject: Windows logoff bug solution possibly.
I have posted previously about a bug that seems to cause applications to
continue to run when a user logs off and when another users logs on,
he/she may be able to access the programs that continued to run after
the logoff, for example:
1. Log on as Administrator
2. Do some stuff
3. Log off, but some programs continue to run
4. Log on as a regular user, programs running from 1,2 may appear and
user may be able to access stuff with Administrator privileges.
I now think that ZoneAlarm may have some to play on this. I still think
different logons should use different session IDs though.
During logoff today, ZoneAlarm asked me if I wanted to allow Client
Server Runtime Process to terminate a process. I clicked yes. This is
the first time I have seen this, and so I though that it might be why
the programs are not terminating at logoff. If the OS Firewall level
for csrss.exe is set to ask but it can not ask, it will be denied. I
looked though some previous log files from ZoneAlarm and found some
entries with csrss.exe. The action was to terminate a process and it
was blocked. This is just a few from the list.
OSFW,2007/02/09,06:16:12 -5:00 GMT,BLOCKED,Client Server Runtime
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
OSFW,2007/02/09,06:16:12 -5:00 GMT,BLOCKED,Client Server Runtime
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program
Files\TortoiseSVN\bin\TSVNCache.exe
OSFW,2007/02/09,06:16:16 -5:00 GMT,BLOCKED,Client Server Runtime
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program
Files\EssentialPIM Pro\EssentialPIM.exe
OSFW,2007/02/09,06:16:20 -5:00 GMT,BLOCKED,Client Server Runtime
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program
Files\GetRight\getright.exe
The list of processes is the same processes that show up as still
running from the previous logon when I check task manager. Setting the
OS Firewall level to 'Super' for Client Server Runtime Process may fix
the logoff problem that I have been discussing. I also think ZoneLabs
should make it a 'System,Custom' item instead of 'Auto,Custom', so the
user will be warned of any changes.
RC
Powered by blists - more mailing lists