The "Lunch Break Hole"

From: Frank Heyne (fhat_private-dresden.de)
Date: Mon Jan 21 2002 - 04:27:34 PST

Next message: Hacknisty: "More information on alcatel speed touch home modem"

Previous message: Brian Rea: "psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminal"
Next in thread: David LeBlanc: "RE: The "Lunch Break Hole""
Reply: David LeBlanc: "RE: The "Lunch Break Hole""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "Lunch Break Hole"
Author: Frank Heyne http://www.heysoft.de/
Copyright   2002 Frank Heyne - All rights reserved
Release Date: 21. January 2002
Reprint (full or partial) must include a link to the original advisory at 
http://www.heysoft.de/nt/lbh.htm !

Overview: 
This advisory describes multiple problems regarding the unlocking of locked 
Windows NT machines (all versions). There is no difference whether the 
computer was locked manually (by pressing <CTRL+ALT+DEL> + <ENTER>) or by a 
password protected screen saver. 

Imagine: 
You are the administrator of a Windows 2000 Network. Your Security policies 
determine that an account will be locked out after a wrong password has 
been entered 5 times. You did apply the latest service packs and hotfixes. 
HfNetCheck finds no problems with your machines. You think you are save... 

You lock your computer and leave for lunch. When you come back, your 
machine is (still or again?) locked, and you unlock it. As
usual, you have a look into the Security eventlog. You see that there have 
been 5 Security events 529 (failed logon beause of wrong password) and 3 
Security events 539 (failed logon beause of locked account) logged. You see 
no Security event 528 (successful logon) during the time of your lunch 
break. Again someone tried to break in, and he missed it again - do you 
think. 

The Hole: 
There are chances that someone already knows your password, and that he 
uses a security hole of Windows 2000 to log into your machine without 
leaving any logon/logoff traces in the Security log! All versions of 
Windows NT do - under certain conditions - log successful logons, which 
normally create a Security event 528, as failed logon (Security event 539)! 

Because the locking of the machine creates no Security event by design, a 
local attacker can use this hole to log onto a locked machine and lock this 
machine again (when he is done), without leaving logon/logoff traces of his 
successful break in in the Security log! 

The full story can be found at http://www.heysoft.de/nt/lbh.htm

Greetings

Frank Heyne

Next message: Hacknisty: "More information on alcatel speed touch home modem"
Previous message: Brian Rea: "psyBNC 2.3 Beta - encrypted text "spoofable" in others' irc terminal"
Next in thread: David LeBlanc: "RE: The "Lunch Break Hole""
Reply: David LeBlanc: "RE: The "Lunch Break Hole""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 13:46:57 PST