Re: Windows logoff bug possible security vulnerability and exploit.

["Bart ...." <need4angel () hotmail com>]

Dear Rage Coder,

I think this is a now problem, see Microsoft knowledge base article 837115:
http://support.microsoft.com/kb/837115

Microsoft recommend to use "User Profile Hive Cleanup Service":
http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Can you tel me of this helps solving your problem?

Greetz
Bart

Rage Coder wrote:
> The problem only occurs at times.  To reproduce the problem, I just use the 
> computer normally, and at each logon check the event viewer and running 
> processes to see if a profile unload failed.  I don't have any special 
> terminal software or other logon software installed.
>
> I find that if I wait for a little bit after logging off before logging on 
> again, no running programs from the previous logon are present, but if I 
> log on just after logging off, they will be if the profile unload fails.  
> That still shouldn't be the case.  My brother frequently goes on his 
> account right after I go off; there shouldn't be a time limit to wait in 
> order to prevent this.
>
> I noticed an interesting thing about XP and fast user switching which would 
> likely stop this problem.  When logging on, the first logged on user is 
> given session ID 0, as shown in task manager, but if I 'switch' to another 
> user, the user is given a different session ID.  It seems that no two users 
> are given the same session ID when using fast user switching. But when 
> logging off all users and then back on, it is back to session 0.  And if I 
> just log on as a user, log off, and then on as another user without using 
> the 'switch user', they both are session ID 0.
>
> The same thing happens when using classic logon and on 2003.  All logons 
> are given session ID 0.  I did some reading in the platform SDK and some 
> sites about stuff, and it seems that these sessions literally create an 
> isolation.  Messages sent from a process in one session ID are not visible 
> to processes in another, windows created only appear on the desktop 
> associated with that session of the process that created the window, etc.
>
> Ideally, running classic logon always as session 0 'should' work because 
> ideally when logging of, the processes ran 'should' close, so the next user 
> to log on would have nothing to access.  But this does not appear to be the 
> case at all times.
>
> A few moments ago I logged in as administrator to do some minor changes, 
> and I ran EPIM to take some notes of things.  When I logged of and back on 
> as a regular using, 'explorer.exe', 'essentialpim.exe', 'seamonkey.exe' 
> were still running as Administrator, event viewer showed the usual UserEnv 
> messages, and EPIM appeared on the system tray.  My guess is something like 
> this happens:
>
> Logon Administrator : Session ID 0
> Run EssentialPIM : Session ID 0
> Do some stuff
> Logoff Administrator : Profile unload fails, a few programs continue 
> running
> Logon Normal User : Session ID 0
> Explorer runs, and at startup broadcasts 'TaskbarCreated' message
> All processes in session 0 get this message, EPIM adds system tray icon 
> like it is supposed to
>
> If each logon, even in classic mode, is given a separate session ID as is 
> done in fast user switching, this would not happen, even if the profile 
> unload fails and the programs continue to run waiting for the profile to 
> unload:
>
> Logon Administrator : Session ID 0
> Run EssentialPIM : Session ID 0
> Do some stuff
> Logoff Administrator : Profile unload fails, a few programs continue 
> running
> Logon Normal User : Session ID 1
> Explorer runs, and at startup broadcasts 'TaskbarCreated' message
> All processes in session 1 get this message
> Programs that may continue to run in session 0 are isolated
>
> If I log on as administrator again, it would be ok to reuse session 0, but 
> for a given boot, no two users should be assigned the same logon session 
> ID.  I.E.  if I log on as Normal User again, it would be session 1,  etc.
>
> This would not prevent a profile from failing to unload, and would not 
> prevent the processes from continuing to run, but it will prevent a user 
> from a later logon from accessing the processes in the current logon.
>
> 3APA3A () SECURITY NNOV RU wrote:
> > Dear Rage Coder,
> >
> >  I've seen unloaded profiles for many times, but I never saw application
> >  still  running  after  logoff.  Profile  itself doesn't create security
> >  vulnerability, since it can not be accessed by another user.
> >
> >  What do you use to reproduce this vulnerability?
> >
> >  Are  you  sure  you  do  not  use some different software which affects
> >  logon/logoff process, e.g. 3rd party terminal software or some security
> >  enhancement?

_________________________________________________________________
Valentine’s Day -- Shop for gifts that spell L-O-V-E at MSN Shopping 
http://shopping.msn.com/content/shp/?ctId=8323,ptnrid=37,ptnrdata=24095&tcode=wlmtagline