[23947] in bugtraq
The "Lunch Break Hole"
daemon@ATHENA.MIT.EDU (Frank Heyne)
Tue Jan 22 16:58:00 2002
From: "Frank Heyne" <fh@rcs.urz.tu-dresden.de>
To: bugtraq@securityfocus.com
Date: Mon, 21 Jan 2002 13:27:34 +0100
Reply-To: fh@rcs.urz.tu-dresden.de
Message-Id: <E16SdXT-0007Kq-00@mailgate.urz.tu-dresden.de>
The "Lunch Break Hole"
Author: Frank Heyne http://www.heysoft.de/
Copyright 2002 Frank Heyne - All rights reserved
Release Date: 21. January 2002
Reprint (full or partial) must include a link to the original advisory at
http://www.heysoft.de/nt/lbh.htm !
Overview:
This advisory describes multiple problems regarding the unlocking of locked
Windows NT machines (all versions). There is no difference whether the
computer was locked manually (by pressing <CTRL+ALT+DEL> + <ENTER>) or by a
password protected screen saver.
Imagine:
You are the administrator of a Windows 2000 Network. Your Security policies
determine that an account will be locked out after a wrong password has
been entered 5 times. You did apply the latest service packs and hotfixes.
HfNetCheck finds no problems with your machines. You think you are save...
You lock your computer and leave for lunch. When you come back, your
machine is (still or again?) locked, and you unlock it. As
usual, you have a look into the Security eventlog. You see that there have
been 5 Security events 529 (failed logon beause of wrong password) and 3
Security events 539 (failed logon beause of locked account) logged. You see
no Security event 528 (successful logon) during the time of your lunch
break. Again someone tried to break in, and he missed it again - do you
think.
The Hole:
There are chances that someone already knows your password, and that he
uses a security hole of Windows 2000 to log into your machine without
leaving any logon/logoff traces in the Security log! All versions of
Windows NT do - under certain conditions - log successful logons, which
normally create a Security event 528, as failed logon (Security event 539)!
Because the locking of the machine creates no Security event by design, a
local attacker can use this hole to log onto a locked machine and lock this
machine again (when he is done), without leaving logon/logoff traces of his
successful break in in the Security log!
The full story can be found at http://www.heysoft.de/nt/lbh.htm
Greetings
Frank Heyne
