[24562] in bugtraq
Re: Tiny Personal Firewall
daemon@ATHENA.MIT.EDU (elfs)
Tue Mar 5 23:12:27 2002
Date: Tue, 5 Mar 2002 14:13:10 +0200
From: elfs <elfs@rs.gov.lv>
Reply-To: elfs <elfs@rs.gov.lv>
Message-ID: <1091019568391.20020305141310@rs.gov.lv>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.43.0203041041560.9902-100000@mail.securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
> It must be the responsibility of the OS to prevent console users
> interacting with applications when the desktop is locked. No user
> process should ever be able to bypass the lock mechanism.
If we take a look to WinAPI help for, i.e. MessageBox, we see, that it
has a flag (WindowsNT only), called MB_SERVICE_NOTIFICATION:
(..) The caller is a service notifying the user of an event. The
function displays a message box on the current active desktop, even if
there is no user logged on to the computer (..)
So we can write a small test program:
---[ test.c ]---
#include <windows>
void main()
{
Sleep(3000); // Pause, to give you time to lock
// the computer
MessageBox(
NULL, // HWND, should be NULL
"Who cares if we are locked?", // Messagebox text
"Test", // Messagebox caption
MB_OK | MB_SERVICE_NOTIFICATION // Flags
);
}
and this gives a chance for almost any appl to communicate with user
on WinNT, even if the computer is locked.
Just my 0.02 Ls -
elfs,
Latvia
