Re: Windows logoff bug possible security vulnerability and exploit.

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Rage Coder,

 I've seen unloaded profiles for many times, but I never saw application
 still  running  after  logoff.  Profile  itself doesn't create security
 vulnerability, since it can not be accessed by another user.

 What do you use to reproduce this vulnerability?

 Are  you  sure  you  do  not  use some different software which affects
 logon/logoff process, e.g. 3rd party terminal software or some security
 enhancement?

--Wednesday, January 17, 2007, 2:15:27 PM, you wrote to bugtraq () securityfocus com:


RC> The security problem I'm discussing occurs when a user profile fails to
RC> unload during logoff.  The event viewer show a profile unload error as a
RC> UserEnv application event, ID 1517 and 1524 on Server 2003.  At times,
RC> if the system is under heavy use and the registry is still being 
RC> accessed, the user profile (registry, etc) will not unload and the 
RC> programs launched by that user will continue to run. This is evident
RC> from task manager, which reveals that the old 'explorer.exe' and other
RC> processes of a previous login are still running. I have also tested this
RC> with the UPHClean utility and the same results have appeared, even 
RC> though the registry gets remapped.  If another user logs on while these
RC> programs are running, the user may be able to access the programs, and
RC> with it the permissions of the user that ran the programs.  Some 
RC> programs are more easy to access than others if they continue to run,
RC> such as those programs that only allow one instance or programs that
RC> reinsert themselves into the system tray.  I still do not think it is
RC> the responsibility of the program to make sure it is on the right 
RC> desktop, but the OS should make sure the program does not 'bounce' from
RC> on user's login session to another.



-- 
~/ZARAZA
http://security.nnov.ru/