From: Nicolas RUFF (nicolas.ruff@gmail.com)
Date: Fri Sep 16 2005 - 11:07:48 EDT
Hello,
After investigating deeper, I found several problems in LSADUMP2 :
- Buffers too small (300 bytes for the smallest)
- Allocated memory not flagged as executable (that is why LSADUMP2 is
not compatible with the NX flag)
- Reuse of freed memory
Here is a small patch that has been tested sucessfully on Windows XP SP2
with DEP "AlwaysOn" enabled (where LSADUMP2 failed).
Regards,
- Nicolas RUFF
Security researcher @ EADS-CCR
---------------------------------------------------------------
diff lsadump2/dumplsa.c lsadump3/dumplsa.c
34a35
> #define BUF_SIZE 1024
110c111
< char szBuffer[1000];
--- > char szBuffer[BUF_SIZE]; 137c138 < TCHAR szBuffer[300]; --- > TCHAR szBuffer[BUF_SIZE]; 189c190 < WCHAR wszSecret[500]; --- > WCHAR wszSecret[BUF_SIZE]; 230c231 < char szSecret[500]; --- > char szSecret[BUF_SIZE]; 242a244 > lsaData = NULL; diff lsadump2/lsadump2.c lsadump3/lsadump2.c 261c261 < MEM_COMMIT, PAGE_READWRITE); --- > MEM_COMMIT, PAGE_EXECUTE_READWRITE); ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:55 EDT