lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45CF5B56.7090902@aim.com>
Date: Sun, 11 Feb 2007 13:07:18 -0500
From: Rage Coder <RageCoder@....com>
To: bugtraq@...urityfocus.com
Subject: Windows logoff bug solution possibly.

I have posted previously about a bug that seems to cause applications to 
continue to run when a user logs off and when another users logs on, 
he/she may be able to access the programs that continued to run after 
the logoff,  for example:

1. Log on as Administrator
2. Do some stuff
3. Log off, but some programs continue to run
4. Log on as a regular user, programs running from 1,2 may appear and 
user may be able to access stuff with Administrator privileges.

I now think that ZoneAlarm may have some to play on this.  I still think 
different logons should use different session IDs though.

During logoff today, ZoneAlarm asked me if I wanted to allow Client 
Server Runtime Process to terminate a process.  I clicked yes.  This is 
the first time I have seen this, and so I though that it might be why 
the programs are not terminating at logoff.  If the OS Firewall level 
for csrss.exe is set to ask but it can not ask, it will be denied.  I 
looked though some previous log files from ZoneAlarm and found some 
entries with csrss.exe.  The action was to terminate a process and it 
was blocked.  This is just a few from the list.

OSFW,2007/02/09,06:16:12 -5:00 GMT,BLOCKED,Client Server Runtime 
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
OSFW,2007/02/09,06:16:12 -5:00 GMT,BLOCKED,Client Server Runtime 
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program 
Files\TortoiseSVN\bin\TSVNCache.exe
OSFW,2007/02/09,06:16:16 -5:00 GMT,BLOCKED,Client Server Runtime 
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program 
Files\EssentialPIM Pro\EssentialPIM.exe
OSFW,2007/02/09,06:16:20 -5:00 GMT,BLOCKED,Client Server Runtime 
Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program 
Files\GetRight\getright.exe


The list of processes is the same processes that show up as still 
running from the previous logon when I check task manager.  Setting the 
OS Firewall level to 'Super' for Client Server Runtime Process may fix 
the logoff problem that I have been discussing.  I also think ZoneLabs 
should make it a 'System,Custom' item instead of 'Auto,Custom', so the 
user will be warned of any changes.

RC

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ