| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <432ADE63.9020605@gmail.com> Date: Fri Sep 16 16:02:13 2005 From: nicolas.ruff at gmail.com (Nicolas RUFF) Subject: LSADump2 Crashing Windows > This is a bug in lsadump2 - there's a type mismatch in one of the > functions, although I forget which one. Something is a pointer which > shouldn't be, or vice versa. Once you fix that, it'll be good to go. Are you sure about that ? After investigating deeper, I found several problems in LSADUMP2 : - Buffers too small (300 bytes for the smallest) - Allocated memory not flagged as executable (that is why LSADUMP2 is not compatible with the NX flag) - Reuse of freed memory Here is a small patch that has been tested sucessfully on Windows XP SP2 with DEP "AlwaysOn" enabled (where LSADUMP2 failed). Regards, - Nicolas RUFF Security researcher @ EADS-CCR --------------------------------------------------------------- diff lsadump2/dumplsa.c lsadump3/dumplsa.c 34a35 > #define BUF_SIZE 1024 110c111 < char szBuffer[1000]; --- > char szBuffer[BUF_SIZE]; 137c138 < TCHAR szBuffer[300]; --- > TCHAR szBuffer[BUF_SIZE]; 189c190 < WCHAR wszSecret[500]; --- > WCHAR wszSecret[BUF_SIZE]; 230c231 < char szSecret[500]; --- > char szSecret[BUF_SIZE]; 242a244 > lsaData = NULL; diff lsadump2/lsadump2.c lsadump3/lsadump2.c 261c261 < MEM_COMMIT, PAGE_READWRITE); --- > MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Powered by blists - more mailing lists