[24006] in bugtraq
RE: The "Lunch Break Hole"
daemon@ATHENA.MIT.EDU (David LeBlanc)
Mon Jan 28 14:34:00 2002
From: "David LeBlanc" <dleblanc@mindspring.com>
To: <bugtraq@securityfocus.com>
Date: Sun, 27 Jan 2002 00:55:32 -0800
Message-ID: <00fd01c1a710$61406510$0800a8c0@davenet.local>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <E16SdXT-0007Kq-00@mailgate.urz.tu-dresden.de>
> There are chances that someone already knows your password,
> and that he
> uses a security hole of Windows 2000 to log into your machine without
> leaving any logon/logoff traces in the Security log!
[snip]
> Because the locking of the machine creates no Security event
> by design, a
> local attacker can use this hole to log onto a locked machine
> and lock this
> machine again (when he is done), without leaving logon/logoff
> traces of his
> successful break in in the Security log!
This does not repro on my XP Pro system. When I lock and unlock the
system, it creates events in the security events IF I have logon
auditing enabled. I haven't had time to test against Windows 2000.
And, BTW, if someone already knows your password, this should be the
least of your worries.
