Microsoft Windows XP快速帳號切換功能造成帳號鎖定漏洞 - PCZONE 討論區

返回   PCZONE 討論區 > ▲ -- 電 腦 軟 體 討 論 區 > -- Windows 討 論 版


PCZONE 討論區



通知

-- Windows 討 論 版 包括 Windows 95/98/ME、Windows NT/2000/XP/Server 2003 等的疑難雜症解答與經驗分享。

會員
Microsoft Windows XP快速帳號切換功能造成帳號鎖定漏洞
[發表]Microsoft Windows XP快速帳號切換功能造成帳號鎖定漏洞
發佈日期: 2001-12-20

受影響的系統:
Microsoft Windows XP Professional
Microsoft Windows XP

狀況描述:

Microsoft Windows XP是Microsoft公司發佈的新一代作業系統。它新設計了帳號快速切換功能,可以使用戶快速地在不同的帳號之間切換,而不需要先退出再登錄。

Microsoft Windows XP快速帳號切換功能設計存在問題,可被用來造成帳號鎖定,使所有非管理員帳號都不能登錄。

配合帳號鎖定功能,一個使用者可以利用帳號快速切換功能,快速地重試登錄一個使用者名稱,系統認爲有暴力破解攻擊,從而造成全部非管理員帳號的鎖定,從而其他用戶沒有管理員的解禁不能登錄主機。

來源:Tomasz Polus ([email protected]

漏洞測試方法:

1. 設定最多錯誤密碼嘗試爲3次。
2. 以一般使用者權限新增10個使用者 (User1 - User10)。
3. 用User1帳號登錄。
4. 使用快速帳號切換登錄到User2帳號。
5. 用快速帳號切換從User1帳號登錄User2帳號連續失敗3次。
6. 試著去登錄User3帳號。

這時你會發現所有非管理員帳號均又鎖定。

解決方案:

目前無任何修正檔
=========================================================================

以下為原始文件

From: Tomasz Polus ([email protected])
Date: Thu Dec 20 2001 - 02:52:15 CST

Hello bugtraq subscribers,
Below is a description of three security problems
with Windows XP Professional, which we think are
bugs - not features. We are actually writing a book
about Windows XP security and need to clarify these concerns.
Please express you opinions and let us know if you find these
problems important to Windows XP security.
System affected: Windows XP Professional in a workgroup.
I. Problem with account locking due to fast user switching
Fast user switching is a new Windows XP feature,
which allows simultaneous loging on of more than one user.
It is based on Terminal Services technology and runs unique
user sessions that enable each user's data to be entirely separated.
Fast User Switching is enabled by default on a stand-alone
or workgroup-connected computer. It is not available in domains.
While extensively using this new feature, we found that it locks
out accounts on our machine.
Please try this on your Windows XP computers:
1. Set the account lockout threshold to 3 attempts.
2. Create 10 user accounts with user level privileges (User1 -
User10).
3. Logon using User1 account.
4. Using fast user switching, logon using User2 account.
5. Use fast switching to change from User1 to User2 3 times.
6. Attempt to logon using User3 account.
At this point, every account on the machine would be locked out
(except Administrator account of course).
Security Log would now show logon failure (ID529) and account locked
(ID539)
entries. Please see attached TXT file with event log entries.
We have also found, that there is no need to switch between _two_
users.
Even switching between _one_ user (logging on and logging off using
fast
user switching) results in all acounts being locked out.
We notified Microsoft on December the 5th, 2001 and received the
following
reply from Microsoft Security Response Center:
From: Microsoft Security Response Center [mailto:[email protected]]
Sent: Wednesday, December 12, 2001 10:54 PM
To: Tomasz Polus
Cc: Microsoft Security Response Center
Subject: RE: Fast User Switching blocks user accounts [cb]
[...] "Fast User Switching is a feature that's designed primarily for
home users.
One thing that Fast User Switching does is to check local accounts for
blank
passwords to determine if a prompt should be provided for a particular
user or not.
Users who have elected to maintain blank passwords are not shown the
prompt
for their account when they switch accounts. Because of this, if
account lockouts
are enabled in conjunction with Fast User Switching, it is possible
for this
feature to inadvertently lockout accounts.
If you want to enable the account lockout feature, it's recommended
that you
not use the Fast User Switching feature.
I hope this is helpful in clarifying what you are seeing.
Please let us know if you have any questions or concerns." [...]
I would like to point out they didn't write that only accounts with
blank passwords
are locked out - which is actually right. For all of our test accounts
passwords has_been_set.
This problem does not affect accounts with blank passwords.
As you can see, Microsoft admitted this to be a problem and
recommended
not to use fast user switching in conjunction with Account Lockout.
We see this as a significant limitation on the new feature,
and/or a forced downgrading of security settings.
II. Problem with reset password disk
Windows XP introduced a new feature - "Password Reset Disk", which can
be used
to recover user account and personalized computer settings if a user
forgets
his password.
The problem is that in certain conditions (Minimum password age <> 0)
user may not be able to reset his password using above mentioned disk
and the only solution is the reset password feature available to the
Administrator.
First, make sure the "Minimum password age" policy is set to a value
other than 0.
Now, supposing the user forgets his password before it's age expires,
he will not be able to reset it with the disk until the password
expires.
What's more, changing password by an Admnistrator using MMC or control
panel
(in other words - GUI) leads to user data loss (i.e. EFS files)
because of
private key loss.
The only solution seems to be "net user" command issued by an
administrator.
III. Remote Desktop sends recently used username in plaintext
This problem was first detected by Szymon Nowak - we made the tests
and drew
the final conclusions.
Remote Desktop client remembers account name which has been used
recently
to establish RD session with another machine.
When sniffing the network, Szymon found that RD client has send login
to the
other computer in plain text. We clarified that what was actually sent
is not
a user account name on the destination machine, but username which has
been used
recently to logon with RD client.
However, assuming that the logon is made to the same computer as
recently,
RD client sends in clear text user account name present on the
destination
computer. In some cases, this can pose a big security risk. For
example,
if RD client is used by users connecting to a terminal server,
the attacker can sniff all the TS user accounts.
We're very interested in your opinions about all these problems.
Please try this at your machines and let us now if these are common,
so we could find versions affected.
Regards,

回覆
The Hunter

這樣的設計,不是更增加了安全性嗎?
有沒有人解釋一下吧!

回覆
主題工具


類似的主題
主題 主題作者 討論版 回覆 最後發表
適用於 Windows Server 2003 及 Windows XP 的 Microsoft MS Gothic 及 MS Mincho JIS2004 支援字型 琥珀 -- Windows 討 論 版 1 2007-10-17 04:34 PM
Microsoft Windows Vista VHD aaaeric Windows VISTA 相關檔案下載版 11 2007-08-16 08:23 AM
【問題】資料執行防止 - Microsoft Windows holyenvoy -- Windows 討 論 版 4 2007-01-14 11:23 PM
【軟體】Windows 偵測後門程式的必備工具-Microsoft Windows sysinternals DarkSkyline -- 防 駭 / 防 毒 版 2 2006-11-16 10:48 PM
Microsoft Windows 2000安全警告 koma -- 防 駭 / 防 毒 版 1 2003-03-24 09:58 AM






 XML   RSS 2.0   RSS 
本站使用 vBulletin 合法版權程式
站務信箱 : [email protected]

本論壇所有文章僅代表留言者個人意見,並不代表本站之立場,討論區以「即時留言」方式運作,故無法完全監察所有即時留言,若您發現文章可能有異議,請 email :[email protected] 處理。