Bugtraq mailing list archives
Re: Windows logoff bug possible security vulnerability and exploit.
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 18 Jan 2007 00:41:58 +0300
Dear Rage Coder, I've seen unloaded profiles for many times, but I never saw application still running after logoff. Profile itself doesn't create security vulnerability, since it can not be accessed by another user. What do you use to reproduce this vulnerability? Are you sure you do not use some different software which affects logon/logoff process, e.g. 3rd party terminal software or some security enhancement? --Wednesday, January 17, 2007, 2:15:27 PM, you wrote to bugtraq () securityfocus com: RC> The security problem I'm discussing occurs when a user profile fails to RC> unload during logoff. The event viewer show a profile unload error as a RC> UserEnv application event, ID 1517 and 1524 on Server 2003. At times, RC> if the system is under heavy use and the registry is still being RC> accessed, the user profile (registry, etc) will not unload and the RC> programs launched by that user will continue to run. This is evident RC> from task manager, which reveals that the old 'explorer.exe' and other RC> processes of a previous login are still running. I have also tested this RC> with the UPHClean utility and the same results have appeared, even RC> though the registry gets remapped. If another user logs on while these RC> programs are running, the user may be able to access the programs, and RC> with it the permissions of the user that ran the programs. Some RC> programs are more easy to access than others if they continue to run, RC> such as those programs that only allow one instance or programs that RC> reinsert themselves into the system tray. I still do not think it is RC> the responsibility of the program to make sure it is on the right RC> desktop, but the OS should make sure the program does not 'bounce' from RC> on user's login session to another. -- ~/ZARAZA http://security.nnov.ru/
Current thread:
- Windows logoff bug possible security vulnerability and exploit. Rage Coder (Jan 17)
- Re: Windows logoff bug possible security vulnerability and exploit. 3APA3A (Jan 17)
- Re: Windows logoff bug possible security vulnerability and exploit. Rage Coder (Jan 18)
- <Possible follow-ups>
- Re: Windows logoff bug possible security vulnerability and exploit. Bart .... (Jan 23)
- Re: Windows logoff bug possible security vulnerability and exploit. Rage Coder (Jan 29)
- Re: Windows logoff bug possible security vulnerability and exploit. 3APA3A (Jan 17)