Re: LSADump2 Crashing Systems

From: Nicolas RUFF (nicolas.ruff@gmail.com)
Date: Fri Sep 16 2005 - 11:07:48 EDT


Hello,

After investigating deeper, I found several problems in LSADUMP2 :
- Buffers too small (300 bytes for the smallest)
- Allocated memory not flagged as executable (that is why LSADUMP2 is
not compatible with the NX flag)
- Reuse of freed memory

Here is a small patch that has been tested sucessfully on Windows XP SP2
with DEP "AlwaysOn" enabled (where LSADUMP2 failed).

Regards,
- Nicolas RUFF
Security researcher @ EADS-CCR

---------------------------------------------------------------

diff lsadump2/dumplsa.c lsadump3/dumplsa.c
34a35
> #define BUF_SIZE 1024
110c111
< char szBuffer[1000];

---
>     char szBuffer[BUF_SIZE];
137c138
<     TCHAR szBuffer[300];
---
>     TCHAR szBuffer[BUF_SIZE];
189c190
<         WCHAR wszSecret[500];
---
>         WCHAR wszSecret[BUF_SIZE];
230c231
<             char szSecret[500];
---
>             char szSecret[BUF_SIZE];
242a244
> 			lsaData = NULL;
diff lsadump2/lsadump2.c lsadump3/lsadump2.c
261c261
<                                    MEM_COMMIT, PAGE_READWRITE);
---
>                                    MEM_COMMIT, PAGE_EXECUTE_READWRITE);
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:55 EDT