Re: [Full-disclosure] LSADump2 Crashing Windows

[Nicolas RUFF <nicolas.ruff@xxxxxxxxx>]

> This is a bug in lsadump2 - there's a type mismatch in one of the
> functions, although I forget which one. Something is a pointer which
> shouldn't be, or vice versa. Once you fix that, it'll be good to go.

Are you sure about that ?
After investigating deeper, I found several problems in LSADUMP2 :
- Buffers too small (300 bytes for the smallest)
- Allocated memory not flagged as executable (that is why LSADUMP2 is
not compatible with the NX flag)
- Reuse of freed memory

Here is a small patch that has been tested sucessfully on Windows XP SP2
with DEP "AlwaysOn" enabled (where LSADUMP2 failed).

Regards,
- Nicolas RUFF
Security researcher @ EADS-CCR

---------------------------------------------------------------

diff lsadump2/dumplsa.c lsadump3/dumplsa.c
34a35
> #define BUF_SIZE 1024
110c111
<     char szBuffer[1000];
---
>     char szBuffer[BUF_SIZE];
137c138
<     TCHAR szBuffer[300];
---
>     TCHAR szBuffer[BUF_SIZE];
189c190
<         WCHAR wszSecret[500];
---
>         WCHAR wszSecret[BUF_SIZE];
230c231
<             char szSecret[500];
---
>             char szSecret[BUF_SIZE];
242a244
>                       lsaData = NULL;

diff lsadump2/lsadump2.c lsadump3/lsadump2.c
261c261
<                                    MEM_COMMIT, PAGE_READWRITE);
---
>                                    MEM_COMMIT, PAGE_EXECUTE_READWRITE);
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/