COMMAND

    taskmanager

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Martin Bishop has discovered what is a minor security threat in NT
    "Locked workstation" state.  As we  all know, a user can lock  the
    workstation that he's locally logged on using Ctrl-Alt-Del &  e.g.
    Enter.  When the workstation is in such locked mode only the  user
    that locked  it or  the administrator  can unlock  it by  pressing
    Ctrl-Alt-Del and entering username/password.  In the locked  mode,
    every other functionality  should be disabled  for the local  user
    and that also appears  to be the case  except for another hot  key
    combination:  Ctrl-Shift-Esc (that  invokes the Task Manager  just
    like in a non-locked mode).  Note that the locked workstation does
    not show the Task  Manager's window and you  are also not able  to
    interact with it but it nevertheless gets executed (you can see it
    when you  unlock the  workstation).   Well, it  almost wouldn't be
    worth mentioning if that was all.  The problem becomes much bigger
    when you press Ctrl-Shift-Esc and hold it for a couple of  seconds
    (15  worked  in  testing  enviroment,  but  it could depend on the
    amount of RAM your computer has).  It seems that by holding  these
    keys down you start invoking  multiple copies of Task Manager  (in
    15  seconds  created  250  of  them)  that  -  normally - run with
    priority "high".  Each of them consumes some memory in range  from
    appx. 150-480 kB but each  of them also creates some  CPU workload
    (with   priority "high"!).   As a  final consequence,  your NT 4.0
    Server will be completely DoS'ed for more than two hours,  flashes
    of Task Manager windows redrawing and erasing themselves,  desktop
    background dissappearing and reappearing, CPU utilization fixed at
    100%,  "Virtual  Memory  Low"  messages  popping  up  and not even
    Ctrl-Alt-Del will help.

SOLUTION

    This may not be  a major security threat  since it has to  be done
    with physical access  to the computer  and it is  only of (mis)use
    when the  workstation is  locked (I  expect it  is reproducible in
    non-locked mode but you can make much more damage than just a  DoS
    once you're there).  Nevertheless it should be noted that  locking
    a workstation with any unsaved changes to critical documents (e.g.
    unsaved  Word  documents)  and  then  leaving  it in an area where
    physical  access  of  untrusted  people  is  possible,  could   be
    dangerous (remember: it takes only a couple of seconds).  In  such
    situations,  you  should  only  use  the locking mechanism when no
    considerable  loss  would  result  from hard-rebooting the machine
    instead of just unlocking it.