[NT] GFI LANguard Network Security Scanner Insecure Credential Storage

From: SecuriTeam (support_at_securiteam.com)
Date: 03/10/05

  • Next message: SecuriTeam: "[NT] Carsten's 3D Engine Format String and Non-Terminated Strings" 
    To: list@securiteam.com
Date: 10 Mar 2005 17:06:19 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      GFI LANguard Network Security Scanner Insecure Credential Storage
    ------------------------------------------------------------------------

    SUMMARY

     <http://gfi.com/lannetscan/> GFI LANguard Network Security Scanner
    (N.S.S.) checks your network for all potential methods that a hacker might
    use to attack it.

    GFI LANguard saves passwords in the memory in cleartext, making it
    possible to a local attacker to dump the program memory and possibly gain
    Administrator password.

    DETAILS

    The product provides two options for privileged scanning and patch
    deployment: "currently logged-on user" and "Alternative Credentials". GFI
    offers to save the entered password for in "Alternative Credentials" mode,
    another option in L.N.S.S allows users to upload scan reports to a MS-SQL
    server . Here again you should provide and account on MS-SQL server for
    the application. A weakness discovered in this product makes it possible
    to dump the saved credentials INSTANTLY and without any offline attack to
    recover saved credentials which is a domain username and password in this
    case.

    Each time the L.N.S.S process ( lnss.exe ) is loaded to do scan or
    deployment job by use of saved credentials , it's possible to read saved
    username & password instantly from the memory space of the process,
    because L.N.S.S load them in memory as clear-text strings . By use of a
    simple-short code it's possible to dump both MS-SQL and DOMAIN
    username/passwords from local system. Notice that in order to access
    memory space of lnss process you should have enough privileges (usually
    local admin).

    Although it makes the attack vector more limited, but does not reduce the
    risk level of this weakness because the attacker gains access to a
    domain-admin level account password in CLEAR-TEXT by use of a locally
    Privileged account. This could be used by a malicious code or by use of
    another remote vulnerability in the system.

    Exploit Code:
    The password can be viewed in any memory dump tool. For example
    <http://www.kd-team.com/tools/MemPDump.kd_team.rar> Prosess Memory Dumper"
    can be easily customized to complete the mission.

    Workarounds:
     * Do not run the LNSS process in low privileged accounts (GFI's default
    is run as SYSTEM , keep it)
     * Do not save your password ( at least domain-account used for scan ) in
    application
     * Try not to use "Alternative Credentials" mode while using LNSS

    Vendor Status:
    Informed on 22 February 2005
    Response: 22 February 2005
    Released: 28 February 2005

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:service@hat-squad.com>
    Hat-Squad Security Team.
    The original article can be found at:
    <http://www.hat-squad.com/en/000160.html>
    http://www.hat-squad.com/en/000160.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Carsten's 3D Engine Format String and Non-Terminated Strings"

    Relevant Pages

    • [UNIX] Linux Kernel binfmt_elf ELF Loader Privilege Escalation
      ... Get your security news from a reliable source. ... or in other words to execute a new program. ... One of the Linux format loaders is the ELF (Executable and Linkable ... of the memory map header in the binary image and the program ...
      (Securiteam)
    • Re: buffer overrun attack
      ... Here is a description of an attack against the WebDAV / NTDLL vulnerability ... > Buffer overrun is a very dangerous security threat to your IIS and windows ... buffer overrun means the memory pointer has ...
      (microsoft.public.inetserver.iis.security)
    • [NEWS] Xbox 360 Hypervisor Privilege Escalation Vulnerability
      ... Get your security news from a reliable source. ... Xbox 360 Hypervisor Privilege Escalation Vulnerability ... access to memory and provides encryption and decryption services. ... to the syscall dispatcher, as illustrated below. ...
      (Securiteam)
    • Re: Executable Memory in a Driver
      ... >> criminal to expose users to the added bluescreen and security risk. ... In a language that can't access outside an array, ... that doesn't need to move memory. ... > desired in the compiler. ...
      (microsoft.public.development.device.drivers)
    • [NT] Microsoft DCOM RPC Race Condition (MS04-012)
      ... Get your security news from a reliable source. ... the way Microsoft Windows handles DCOM RPC requests. ... based DCOM activation requests has been prone to failure in the past. ... may be overwritten depending on the block the memory management supplies ...
      (Securiteam)