Re: LSADump2 Crashing Systems

From: oh face (0h.fac3@gmail.com)
Date: Fri Sep 23 2005 - 11:53:11 EDT

• Next message: Paul: "EXPLODE YOUR SEX LÍFE WÍTH VÍAGRA!!"
• Previous message: Laurent Constantin: "Re: Topology discover"
• In reply to: Nicolas RUFF: "Re: LSADump2 Crashing Systems"
• Next in thread: Andrew Clarke: "Re: LSADump2 Crashing Systems"
• Reply: Andrew Clarke: "Re: LSADump2 Crashing Systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Your patch works (though not tested extensively). My friend also
pointed out that PWDump code has the same problems that you mentioned.
Perhaps, it's time for an update, BindView?

On 9/16/05, Nicolas RUFF <nicolas.ruff@gmail.com> wrote:
> Hello,
>
> After investigating deeper, I found several problems in LSADUMP2 :
> - Buffers too small (300 bytes for the smallest)
> - Allocated memory not flagged as executable (that is why LSADUMP2 is
> not compatible with the NX flag)
> - Reuse of freed memory
>
> Here is a small patch that has been tested sucessfully on Windows XP SP2
> with DEP "AlwaysOn" enabled (where LSADUMP2 failed).
>
> Regards,
> - Nicolas RUFF
> Security researcher @ EADS-CCR
>
> ---------------------------------------------------------------
>
> diff lsadump2/dumplsa.c lsadump3/dumplsa.c
> 34a35
> > #define BUF_SIZE 1024
> 110c111
> < char szBuffer[1000];
> ---
> > char szBuffer[BUF_SIZE];
> 137c138
> < TCHAR szBuffer[300];
> ---
> > TCHAR szBuffer[BUF_SIZE];
> 189c190
> < WCHAR wszSecret[500];
> ---
> > WCHAR wszSecret[BUF_SIZE];
> 230c231
> < char szSecret[500];
> ---
> > char szSecret[BUF_SIZE];
> 242a244
> > lsaData = NULL;
>
> diff lsadump2/lsadump2.c lsadump3/lsadump2.c
> 261c261
> < MEM_COMMIT, PAGE_READWRITE);
> ---
> > MEM_COMMIT, PAGE_EXECUTE_READWRITE);
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Paul: "EXPLODE YOUR SEX LÍFE WÍTH VÍAGRA!!"
• Previous message: Laurent Constantin: "Re: Topology discover"
• In reply to: Nicolas RUFF: "Re: LSADump2 Crashing Systems"
• Next in thread: Andrew Clarke: "Re: LSADump2 Crashing Systems"
• Reply: Andrew Clarke: "Re: LSADump2 Crashing Systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:59 EDT