The "Lunch Break Hole" Author: Frank Heyne http://www.heysoft.de/ Copyright 2002 Frank Heyne - All rights reserved Release Date: 21. January 2002 Reprint (full or partial) must include a link to the original advisory at http://www.heysoft.de/nt/lbh.htm ! Overview: This advisory describes multiple problems regarding the unlocking of locked Windows NT machines (all versions). There is no difference whether the computer was locked manually (by pressing <CTRL+ALT+DEL> + <ENTER>) or by a password protected screen saver. Imagine: You are the administrator of a Windows 2000 Network. Your Security policies determine that an account will be locked out after a wrong password has been entered 5 times. You did apply the latest service packs and hotfixes. HfNetCheck finds no problems with your machines. You think you are save... You lock your computer and leave for lunch. When you come back, your machine is (still or again?) locked, and you unlock it. As usual, you have a look into the Security eventlog. You see that there have been 5 Security events 529 (failed logon beause of wrong password) and 3 Security events 539 (failed logon beause of locked account) logged. You see no Security event 528 (successful logon) during the time of your lunch break. Again someone tried to break in, and he missed it again - do you think. The Hole: There are chances that someone already knows your password, and that he uses a security hole of Windows 2000 to log into your machine without leaving any logon/logoff traces in the Security log! All versions of Windows NT do - under certain conditions - log successful logons, which normally create a Security event 528, as failed logon (Security event 539)! Because the locking of the machine creates no Security event by design, a local attacker can use this hole to log onto a locked machine and lock this machine again (when he is done), without leaving logon/logoff traces of his successful break in in the Security log! The full story can be found at http://www.heysoft.de/nt/lbh.htm Greetings Frank Heyne
