Windows Autologon Function Control Check

漏洞信息

漏洞名称: Windows Autologon Function Control Check

漏洞类型: 配置问题

漏洞等级: 中危

漏洞描述: 该漏洞涉及Windows操作系统中的Autologon功能控制问题。Autologon功能允许系统在启动时自动登录,无需用户输入凭据,这在某些场景下可能带来便利,但同时也引入了安全风险。具体来说,当AutoAdminLogon注册表值被设置为’1’时,登录凭据可能会被存储在注册表中,从而可能被攻击者利用,导致未授权的系统访问。

受影响产品: Windows操作系统是全球广泛使用的操作系统,广泛应用于个人电脑、服务器等多种场景。Autologon功能在企业环境中尤其常见,用于简化系统管理流程,但其不当配置可能导致安全风险。

漏洞解释: 此漏洞属于配置问题,具体表现为Autologon功能的不当启用。技术根源在于Windows注册表中的AutoAdminLogon值被设置为’1’,这使得系统在启动时自动使用存储的凭据登录,而无需用户交互。这种配置不仅违反了最小权限原则,还可能导致敏感信息泄露。

影响分析: 启用Autologon功能可能导致攻击者通过物理或远程方式访问系统,进而检索存储的登录凭据,实现未授权的系统访问。这种漏洞的利用不需要复杂的攻击技术,且可能被自动化工具利用,因此构成了中等级别的安全风险。为了缓解此风险,建议将AutoAdminLogon注册表值设置为’0’,以禁用Autologon功能。

产品厂商: Microsoft

产品名称: Windows

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b740ee6791c0a6d36cac233d23a096ba91d2f060/code%2Fwindows%2Faudit%2Fkisa%2Fautologon-control.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

id: autologon-control

info:
  name: Autologon Function Control Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure the Autologon feature is disabled by verifying that the AutoAdminLogon registry value under
    HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon is either missing or set to "0".
    A value of "1" indicates that login credentials may be stored in the registry, creating a potential security risk.
  impact: |
    Enabling Autologon allows attackers with physical or remote access to retrieve stored login credentials, potentially resulting in unauthorized system access.
  remediation: |
    Disable Autologon by setting the AutoAdminLogon registry value to "0". This can be done using:
    - Registry Editor: Go to HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and set AutoAdminLogon to "0".
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: autologon,account-management,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $regPath = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
      $autologon = (Get-ItemProperty -Path $regPath -Name AutoAdminLogon -ErrorAction SilentlyContinue).AutoAdminLogon
      if ($null -eq $autologon -or $autologon -eq "0") {
          "AUTO_ADMIN_LOGON_DISABLED"
      } else {
          "AUTO_ADMIN_LOGON_ENABLED"
      }

    matchers:
      - type: word
        words:
          - "AUTO_ADMIN_LOGON_ENABLED"

Github Poc
#projectdiscovery/nuclei-templates:github issues #配置问题
Windows Autologon Function Control Check
http://example.com/2025/07/10/github_2205168344/
作者
lianccc
发布于
2025年7月10日
许可协议