Re: Windows logoff bug possible security vulnerability and exploit.
Dear Rage Coder,
I've seen unloaded profiles for many times, but I never saw application
still running after logoff. Profile itself doesn't create security
vulnerability, since it can not be accessed by another user.
What do you use to reproduce this vulnerability?
Are you sure you do not use some different software which affects
logon/logoff process, e.g. 3rd party terminal software or some security
enhancement?
--Wednesday, January 17, 2007, 2:15:27 PM, you wrote to
bugtraq@xxxxxxxxxxxxxxxxx:
RC> The security problem I'm discussing occurs when a user profile fails to
RC> unload during logoff. The event viewer show a profile unload error as a
RC> UserEnv application event, ID 1517 and 1524 on Server 2003. At times,
RC> if the system is under heavy use and the registry is still being
RC> accessed, the user profile (registry, etc) will not unload and the
RC> programs launched by that user will continue to run. This is evident
RC> from task manager, which reveals that the old 'explorer.exe' and other
RC> processes of a previous login are still running. I have also tested this
RC> with the UPHClean utility and the same results have appeared, even
RC> though the registry gets remapped. If another user logs on while these
RC> programs are running, the user may be able to access the programs, and
RC> with it the permissions of the user that ran the programs. Some
RC> programs are more easy to access than others if they continue to run,
RC> such as those programs that only allow one instance or programs that
RC> reinsert themselves into the system tray. I still do not think it is
RC> the responsibility of the program to make sure it is on the right
RC> desktop, but the OS should make sure the program does not 'bounce' from
RC> on user's login session to another.
--
~/ZARAZA
http://security.nnov.ru/