Dear Rage Coder, I've seen unloaded profiles for many times, but I never saw application still running after logoff. Profile itself doesn't create security vulnerability, since it can not be accessed by another user. What do you use to reproduce this vulnerability? Are you sure you do not use some different software which affects logon/logoff process, e.g. 3rd party terminal software or some security enhancement? --Wednesday, January 17, 2007, 2:15:27 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: RC> The security problem I'm discussing occurs when a user profile fails to RC> unload during logoff. The event viewer show a profile unload error as a RC> UserEnv application event, ID 1517 and 1524 on Server 2003. At times, RC> if the system is under heavy use and the registry is still being RC> accessed, the user profile (registry, etc) will not unload and the RC> programs launched by that user will continue to run. This is evident RC> from task manager, which reveals that the old 'explorer.exe' and other RC> processes of a previous login are still running. I have also tested this RC> with the UPHClean utility and the same results have appeared, even RC> though the registry gets remapped. If another user logs on while these RC> programs are running, the user may be able to access the programs, and RC> with it the permissions of the user that ran the programs. Some RC> programs are more easy to access than others if they continue to run, RC> such as those programs that only allow one instance or programs that RC> reinsert themselves into the system tray. I still do not think it is RC> the responsibility of the program to make sure it is on the right RC> desktop, but the OS should make sure the program does not 'bounce' from RC> on user's login session to another. -- ~/ZARAZA http://security.nnov.ru/
