[NT] The "Lunch Break Hole" (Missed Event Log)

From: support@securiteam.com
Date: 01/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 23 Jan 2002 23:46:06 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  The "Lunch Break Hole" (Missed Event Log)
------------------------------------------------------------------------

SUMMARY

This advisory describes multiple problems regarding the unlocking of
locked Windows NT machines (all versions). There is no difference whether
the computer was locked manually (by pressing <CTRL+ALT+DEL> + <ENTER>) or
by a password protected screen saver.
The impact of this vulnerability is that an attacker that already knows
password can log in without leaving a record in the event log.

DETAILS

Scenario:
You are the administrator of a Windows 2000 Network. Your Security
policies determine that an account will be locked out after a wrong
password has been entered 5 times. You did apply the latest service packs
and hotfixes. HfNetCheck finds no problems with your machines. You think
you are safe...

You lock your computer and leave for lunch. When you come back, your
machine is (still or again?) locked, and you unlock it. As usual, you have
a look into the Security event log. You see that there have been 5
Security events 529 (failed logon because of wrong password) and 3
Security events 539 (failed logon because of locked account) logged. You
see no Security event 528 (successful logon) during the time of your lunch
break. Again, someone tried to break in, and he missed it again - you
think.

The hole:
There are chances that someone already knows your password, and that he
uses a security hole of Windows 2000 to log into your machine without
leaving any logon/logoff traces in the Security log! All versions of
Windows NT do - under certain conditions - log successful logons, which
normally create a Security event 528, as failed logon (Security event
539)!

Because the locking of the machine creates no Security event by design, a
local attacker can use this hole to log onto a locked machine and lock
this machine again (when he is done), without leaving logon/logoff traces
of his successful break in the Security log!

These are the conditions for such a successful logon:
1) Security policies determine that an account will be locked after a
wrong password has been entered too often.
2) The computer is locked.
3) The account is locked because of condition 1.
4) The default configuration, which allows unlocking a machine even when
the account is locked out, has not been changed.
5) The attacker already knows the password, or he is able to guess it very
soon.

Workaround:
Apply the fix suggested in KB article
<http://www.microsoft.com/technet/support/kb.asp?ID=188700> Q188700. This
fix requires you to add the following Registry value:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
Value: ForceUnlockLogon
Type: DWORD
Content: 1 (on) or 0 (off)

Microsoft says it would be necessary to reboot. In all experiments done,
it was found that the change did immediately work, even without a reboot.
When ForceUnlockLogon is set to 1, a locked account cannot unlock a locked
machine. This means an attacker cannot use the hole in the event log
mechanism to logon undetected any longer.

Vendor:
Microsoft has been informed in December 2001 about the problems. According
to an email from 18. January 2002 it "looks like we'll be able to correct
the event log entry in the next service pack". However, there will be no
SP 7 for NT 4.

ADDITIONAL INFORMATION

The information has been provided by <mailto:fh@RCS.URZ.TU-DRESDEN.DE>
Frank Heyne.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages