RE: LSADump2 Crashing Systems

From: Ghetti, Tim (tghetti@air-worldwide.com)
Date: Fri Sep 09 2005 - 16:17:25 EDT


I had this experience with a 2003 server domain controller fully
patched. It killed the lsass process and force rebooted. At the time I
was investigating an unrelated issue and thought that the reboot was due
to the other issue. I never investigated this issue, as it was highly
unlikely that anyone use the LSADump other than me.

> -----Original Message-----
> From: oh face [mailto:0h.fac3@gmail.com]
> Sent: Friday, September 02, 2005 5:31 PM
> To: pen-test@securityfocus.com; focus-ms@securityfocus.com
> Subject: LSADump2 Crashing Systems
>
> In my recent pen-test experience, LSADump2 has been crashing
> Windows boxes. I was able to verify this on fully patched
> Windows XP and 2003.
> In further examination, LSADump2, when executed, killed the "lsass"
> process, and with the "winlogon" process still running, the
> system was forced to reboot. As far as I know, LSADump2 is
> utilizing a DLL injection technique to dump the contents of
> LSA secrets.
>
> Question:
> 1. Has anyone had this experience? If so, is there a safe
> method to execute this tool?
> 2. When I tested LSADump2 on various Windows boxes, not all
> fully patched boxes were affected by this issue. What
> configuration of Windows is exactly causing "lsass" to fail?
>
> Cheers.
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your website. Up to 75% of cyber attacks are
> launched on shopping carts, forms, login pages, dynamic
> content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting
> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:51 EDT