Re: [Full-disclosure] LSADump2 Crashing Windows

From: Nicolas RUFF (nicolas.ruff_at_gmail.com)
Date: 09/16/05

  • Next message: Martijn Lievaart: "Re: [Full-disclosure] PGPNet Upgrade path ?"
    Date: Fri, 16 Sep 2005 17:01:55 +0200
    To: full-disclosure@lists.grok.org.uk
    
    

    > This is a bug in lsadump2 - there's a type mismatch in one of the
    > functions, although I forget which one. Something is a pointer which
    > shouldn't be, or vice versa. Once you fix that, it'll be good to go.

    Are you sure about that ?
    After investigating deeper, I found several problems in LSADUMP2 :
    - Buffers too small (300 bytes for the smallest)
    - Allocated memory not flagged as executable (that is why LSADUMP2 is
    not compatible with the NX flag)
    - Reuse of freed memory

    Here is a small patch that has been tested sucessfully on Windows XP SP2
    with DEP "AlwaysOn" enabled (where LSADUMP2 failed).

    Regards,
    - Nicolas RUFF
    Security researcher @ EADS-CCR

    ---------------------------------------------------------------

    diff lsadump2/dumplsa.c lsadump3/dumplsa.c
    34a35
    > #define BUF_SIZE 1024
    110c111
    < char szBuffer[1000];

    ---
    >     char szBuffer[BUF_SIZE];
    137c138
    <     TCHAR szBuffer[300];
    ---
    >     TCHAR szBuffer[BUF_SIZE];
    189c190
    <         WCHAR wszSecret[500];
    ---
    >         WCHAR wszSecret[BUF_SIZE];
    230c231
    <             char szSecret[500];
    ---
    >             char szSecret[BUF_SIZE];
    242a244
    > 			lsaData = NULL;
    diff lsadump2/lsadump2.c lsadump3/lsadump2.c
    261c261
    <                                    MEM_COMMIT, PAGE_READWRITE);
    ---
    >                                    MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    

  • Next message: Martijn Lievaart: "Re: [Full-disclosure] PGPNet Upgrade path ?"