Re: [Full-disclosure] LSADump2 Crashing Windows

From: Dave Aitel (dave_at_immunitysec.com)
Date: 09/03/05

Next message: Thierry Carrez: "[Full-disclosure] [ GLSA 200509-02 ] Gnumeric: Heap overflow in the included PCRE library"

Previous message: John McGuire: "RE: [Full-disclosure] LSADump2 Crashing Windows"
In reply to: John McGuire: "RE: [Full-disclosure] LSADump2 Crashing Windows"
Next in thread: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Reply: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Reply: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Reply: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 03 Sep 2005 01:16:33 -0400
To: John McGuire <jmcguire81@cox.net>

This is a bug in lsadump2 - there's a type mismatch in one of the
functions, although I forget which one. Something is a pointer which
shouldn't be, or vice versa. Once you fix that, it'll be good to go.

-dave

John McGuire wrote:

> I have also had this happen to me, but have not had any luck in
> narrowing down the exact culprit. As you stated, it does not appear to
> just be tied to MS patches. I have a series of virtual machines
> running at various patch levels, and none of them will crash. Running
> it on my fully patched laptop, however, will crash every time. If you
> happen to find the answer off this list, please post it. I’d love to
> know more about it. Thanks
>
> John
>
> -----Original Message-----
> *From:* full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] *On Behalf Of *oh face
> *Sent:* Friday, September 02, 2005 11:42 AM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* [Full-disclosure] LSADump2 Crashing Windows
>
> In my recent experience, LSADump2 has been crashing Windows boxes. I
> was able to verify this on fully patched Windows XP and 2003. In
> further examination, LSADump2, when executed, killed the "lsass"
> process, and with the "winlogon" process still running, the system was
> forced to reboot. As far as I know, LSADump2 is utilizing a DLL
> injection technique to dump the contents of LSA secrets.
>
> Question:
> 1. Has anyone had this experience? If so, is there a safe method to
> execute this tool?
> 2. When I tested LSADump2 on various Windows boxes, not all fully
> patched boxes were affected by this issue. What configuration of
> Windows is exactly causing "lsass" to fail?
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Next message: Thierry Carrez: "[Full-disclosure] [ GLSA 200509-02 ] Gnumeric: Heap overflow in the included PCRE library"

Previous message: John McGuire: "RE: [Full-disclosure] LSADump2 Crashing Windows"
In reply to: John McGuire: "RE: [Full-disclosure] LSADump2 Crashing Windows"
Next in thread: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Reply: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Reply: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Reply: Nicolas RUFF: "Re: [Full-disclosure] LSADump2 Crashing Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]