Re: Windows logoff bug possible security vulnerability and exploit.

To: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Subject: Re: Windows logoff bug possible security vulnerability and exploit.
From: Rage Coder <ragecoder@xxxxxxx>
Date: Thu, 18 Jan 2007 06:59:05 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <1906051202.20070118004158@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <45AE054F.6090908@xxxxxxx> <1906051202.20070118004158@xxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.7) Gecko/20060910 SeaMonkey/1.0.5

The problem only occurs at times. To reproduce the problem, I just usethe computer normally, and at each logon check the event viewer andrunning processes to see if a profile unload failed. I don't have anyspecial terminal software or other logon software installed.

I find that if I wait for a little bit after logging off before loggingon again, no running programs from the previous logon are present, butif I log on just after logging off, they will be if the profile unloadfails. That still shouldn't be the case. My brother frequently goes onhis account right after I go off; there shouldn't be a time limit towait in order to prevent this.

I noticed an interesting thing about XP and fast user switching whichwould likely stop this problem. When logging on, the first logged onuser is given session ID 0, as shown in task manager, but if I 'switch'to another user, the user is given a different session ID. It seemsthat no two users are given the same session ID when using fast userswitching. But when logging off all users and then back on, it is backto session 0. And if I just log on as a user, log off, and then on asanother user without using the 'switch user', they both are session ID 0.

The same thing happens when using classic logon and on 2003. All logonsare given session ID 0. I did some reading in the platform SDK and somesites about stuff, and it seems that these sessions literally create anisolation. Messages sent from a process in one session ID are notvisible to processes in another, windows created only appear on thedesktop associated with that session of the process that created thewindow, etc.

Ideally, running classic logon always as session 0 'should' work becauseideally when logging of, the processes ran 'should' close, so the nextuser to log on would have nothing to access. But this does not appearto be the case at all times.

A few moments ago I logged in as administrator to do some minor changes,and I ran EPIM to take some notes of things. When I logged of and backon as a regular using, 'explorer.exe', 'essentialpim.exe','seamonkey.exe' were still running as Administrator, event viewer showedthe usual UserEnv messages, and EPIM appeared on the system tray. Myguess is something like this happens:


Logon Administrator : Session ID 0
Run EssentialPIM : Session ID 0
Do some stuff
Logoff Administrator : Profile unload fails, a few programs continue running
Logon Normal User : Session ID 0
Explorer runs, and at startup broadcasts 'TaskbarCreated' message

All processes in session 0 get this message, EPIM adds system tray iconlike it is supposed to

If each logon, even in classic mode, is given a separate session ID asis done in fast user switching, this would not happen, even if theprofile unload fails and the programs continue to run waiting for theprofile to unload:


Logon Administrator : Session ID 0
Run EssentialPIM : Session ID 0
Do some stuff
Logoff Administrator : Profile unload fails, a few programs continue running
Logon Normal User : Session ID 1
Explorer runs, and at startup broadcasts 'TaskbarCreated' message
All processes in session 1 get this message
Programs that may continue to run in session 0 are isolated

If I log on as administrator again, it would be ok to reuse session 0,but for a given boot, no two users should be assigned the same logonsession ID. I.E. if I log on as Normal User again, it would be session1, etc.

This would not prevent a profile from failing to unload, and would notprevent the processes from continuing to run, but it will prevent a userfrom a later logon from accessing the processes in the current logon.


3APA3A@xxxxxxxxxxxxxxxx wrote:

Dear Rage Coder,

 I've seen unloaded profiles for many times, but I never saw application
 still  running  after  logoff.  Profile  itself doesn't create security
 vulnerability, since it can not be accessed by another user.

 What do you use to reproduce this vulnerability?

 Are  you  sure  you  do  not  use some different software which affects
 logon/logoff process, e.g. 3rd party terminal software or some security
 enhancement?

References:
- Windows logoff bug possible security vulnerability and exploit.
  - From: Rage Coder
- Re: Windows logoff bug possible security vulnerability and exploit.
  - From: 3APA3A

Prev by Date: Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Next by Date: Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
Previous by thread: Re: Windows logoff bug possible security vulnerability and exploit.
Next by thread: Re: Windows logoff bug possible security vulnerability and exploit.
Index(es):
- Date
- Thread