|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] LSADump2 Crashing Windows
From: Nicolas RUFF (nicolas.ruff
gmail.com)
Date: Fri Sep 16 2005 - 10:01:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> This is a bug in lsadump2 - there's a type mismatch in one of the
> functions, although I forget which one. Something is a pointer which
> shouldn't be, or vice versa. Once you fix that, it'll be good to go.
Are you sure about that ?
After investigating deeper, I found several problems in LSADUMP2 :
- Buffers too small (300 bytes for the smallest)
- Allocated memory not flagged as executable (that is why LSADUMP2 is
not compatible with the NX flag)
- Reuse of freed memory
Here is a small patch that has been tested sucessfully on Windows XP SP2
with DEP "AlwaysOn" enabled (where LSADUMP2 failed).
Regards,
- Nicolas RUFF
Security researcher EADS-CCR
---------------------------------------------------------------
diff lsadump2/dumplsa.c lsadump3/dumplsa.c
34a35
> #define BUF_SIZE 1024
110c111
< char szBuffer[1000];
---
> char szBuffer[BUF_SIZE];
137c138
< TCHAR szBuffer[300];
---
> TCHAR szBuffer[BUF_SIZE];
189c190
< WCHAR wszSecret[500];
---
> WCHAR wszSecret[BUF_SIZE];
230c231
< char szSecret[500];
---
> char szSecret[BUF_SIZE];
242a244
> lsaData = NULL;
diff lsadump2/lsadump2.c lsadump3/lsadump2.c
261c261
< MEM_COMMIT, PAGE_READWRITE);
---
> MEM_COMMIT, PAGE_EXECUTE_READWRITE);
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]