Bugtraq mailing list archives
Re[2]: W2k: Unkillable Applications
From: Phaedrus <phaedrus-securityfocus () lycanon org>
Date: Tue, 17 Jul 2001 11:57:49 -0700
Chris Adams <chris () improbable org> wrote: CA> Task Manager is really inconsistent - I renamed a copy of notepad to CA> winlogon.exe. If I start it and try to kill it through the "Applications" CA> tab of the task manager, it will be killed as normal. If I try to kill it CA> through the "Processes" tab, task manager won't let me. The WinXP task manager also behaves this way (at least in RC1). CA> I might be worth seeing exactly what triggers this behaviour in the task CA> manager - the application tab might have a different filtering criteria CA> (e.g. is it strictly ACL-based or might it be looking at something like the CA> original filename attribute in the exe header?). In any case, a malicious CA> attacker could simply make a program which doesn't open a window, which CA> would cause it not to show up in the Applications tab. It appears that the Processes tab is doing a simple filename-based search, and the Applications tab isn't doing any search at all. (After all, the 'critical system processes' like Winlogon would never show up in the Applications tab in the first place, since they don't have top-level windows associated with them.) The amusing thing is that the Task Manager clearly has enough information to discriminate between the 'real' Winlogon and the 'fake' one, and even shows that information to the user; for example, the real Winlogon is run under the SYSTEM account, while the fake one is running as the user. But it does not use this information in deciding what processes to allow to be killed; it apparently only uses the filename. At the very, very least, the Task Manager should be making this check based on the full pathname of the process, not just the filename; an application running in C:\TEMP is highly unlikely to be a critical system process...
Current thread:
- W2k: Unkillable Applications Thomas Zehetbauer (Jul 16)
- Re: W2k: Unkillable Applications Chad Loder (Jul 16)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- <Possible follow-ups>
- RE: W2k: Unkillable Applications Snow, Corey (Jul 16)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- Re: W2k: Unkillable Applications Justin Nelson (Jul 17)
- Re: W2k: Unkillable Applications Chris Adams (Jul 17)
- Re: W2k: Unkillable Applications Alun Jones (Jul 17)
- Re: W2k: Unkillable Applications Chris Adams (Jul 17)
- Re[2]: W2k: Unkillable Applications Phaedrus (Jul 17)
- Re: Re[2]: W2k: Unkillable Applications Bronek Kozicki (Jul 18)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- Re[2]: W2k: Unkillable Applications Dimitry Andric (Jul 17)
- RE: W2k: Unkillable Applications Andy Cristina (Jul 17)
- RE: W2k: Unkillable Applications Toomas Kiisk (Jul 18)
- RE: W2k: Unkillable Applications David LeBlanc (Jul 19)