Re: [Full-disclosure] LSADump2 Crashing Windows

From: Nicolas RUFF (nicolas.ruff_at_gmail.com)
Date: 09/16/05

  • Next message: Martijn Lievaart: "Re: [Full-disclosure] PGPNet Upgrade path ?" 
    Date: Fri, 16 Sep 2005 17:01:55 +0200
To: full-disclosure@lists.grok.org.uk

    > This is a bug in lsadump2 - there's a type mismatch in one of the
    > functions, although I forget which one. Something is a pointer which
    > shouldn't be, or vice versa. Once you fix that, it'll be good to go.

    Are you sure about that ?
    After investigating deeper, I found several problems in LSADUMP2 :
    - Buffers too small (300 bytes for the smallest)
    - Allocated memory not flagged as executable (that is why LSADUMP2 is
    not compatible with the NX flag)
    - Reuse of freed memory

    Here is a small patch that has been tested sucessfully on Windows XP SP2
    with DEP "AlwaysOn" enabled (where LSADUMP2 failed).

    Regards,
    - Nicolas RUFF
    Security researcher @ EADS-CCR

    ---------------------------------------------------------------

    diff lsadump2/dumplsa.c lsadump3/dumplsa.c
    34a35
    > #define BUF_SIZE 1024
    110c111
    < char szBuffer[1000]; 

    ---
>     char szBuffer[BUF_SIZE];
137c138
<     TCHAR szBuffer[300];
---
>     TCHAR szBuffer[BUF_SIZE];
189c190
<         WCHAR wszSecret[500];
---
>         WCHAR wszSecret[BUF_SIZE];
230c231
<             char szSecret[500];
---
>             char szSecret[BUF_SIZE];
242a244
> 			lsaData = NULL;
diff lsadump2/lsadump2.c lsadump3/lsadump2.c
261c261
<                                    MEM_COMMIT, PAGE_READWRITE);
---
>                                    MEM_COMMIT, PAGE_EXECUTE_READWRITE);
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
  • Next message: Martijn Lievaart: "Re: [Full-disclosure] PGPNet Upgrade path ?"