[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] LSADump2 Crashing Windows
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] LSADump2 Crashing Windows
- From: Nicolas RUFF <nicolas.ruff@xxxxxxxxx>
- Date: Mon, 19 Sep 2005 18:22:13 +0200
More on LSADUMP2 / XP SP2 incompatibility ...
The root of the problem lies inside LSASRV.DLL. You already know that
the LSASS process has been plagued by many memory leaks over the years :
http://support.microsoft.com/search/default.aspx?qu=lsass+leak
With XP SP2, Microsoft added many memory management checks, and the
LsarQuerySecret() function called by LSADUMP2 has changed. There is an
additional check on the pLsaData parameter ; if pLsaData != NULL or
pLsaData.Buffer != NULL, LocalFree() is called before reallocating the
buffer (see code below).
After the LsaFreeMemory() call in LSADUMP2, pLsaData memory is
de-allocated but pLsaData is not set to NULL, so calling
LsarQuerySecret() a second time will trigger a "double free"-like error.
Fix :
Add "lsaData = NULL;"
After "LsaFreeMemory (lsaData);"
Regards,
- Nicolas RUFF
Security researcher @ EADS-CCR
XP SP1
------
.text:74544733 mov [ebp+var_C], ebx
.text:74544736 mov [ebp+var_10], ebx
.text:74544739 mov [ebp+var_8], ebx
.text:7454473C mov [ebp+var_2], bl
.text:7454473F mov byte ptr [ebp+var_1], bl
.text:74544742 call _LsapTraceEvent@8 ; LsapTraceEvent(x,x)
.text:74544747 cmp [esi+47h], bl
.text:7454474A jnz loc_74556A1E
.text:74544750
.text:74544750 loc_74544750:
.text:74544750 mov al, [esi+45h]
.text:74544753 cmp al, bl
.text:74544755 jz loc_745412C9
.text:7454475B
.text:7454475B loc_7454475B:
.text:7454475B cmp al, bl
.text:7454475D push edi
.text:7454475E mov edi, 3000001h
.text:74544763 jz loc_745412B2
.text:74544769
.text:74544769 loc_74544769:
.text:74544769 push edi ; AuthnSvc
.text:7454476A push 4 ; int
.text:7454476C push 4 ; int
.text:7454476E push 2 ; AuthnLevel
.text:74544770 push [ebp+arg_0] ; int
.text:74544773 call _LsapDbReferenceObject@20
XP SP2
------
.text:756CC465 mov [ebp+var_C], ebx
.text:756CC468 mov [ebp+var_10], ebx
.text:756CC46B mov [ebp+var_8], ebx
.text:756CC46E mov [ebp+var_2], bl
.text:756CC471 mov byte ptr [ebp+var_1], bl
.text:756CC474 call _LsapTraceEvent@8 ; LsapTraceEvent(x,x)
.text:756CC479 cmp [esi+47h], bl
.text:756CC47C jnz loc_756E8A6E
.text:756CC482
.text:756CC482 loc_756CC482:
.text:756CC482 cmp [esi+45h], bl
.text:756CC485 jnz short loc_756CC491
.text:756CC487 test byte ptr [esi+58h], 1
.text:756CC48B jnz loc_756E8A81
.text:756CC491
.text:756CC491 loc_756CC491:
.text:756CC491 mov eax, [ebp+arg_pLsaData]
.text:756CC494 cmp eax, ebx
.text:756CC496 jz short pLsaData_or_LsaData_length_is_NULL
.text:756CC498 mov eax, [eax]
.text:756CC49A cmp eax, ebx
.text:756CC49C jnz pLsaData_or_LsaData_length_is_not_NULL
.text:756CC4A2
.text:756CC4A2 pLsaData_or_LsaData_length_is_NULL:
.text:756CC4A2 push edi
.text:756CC4A3 mov edi, [ebp+arg_pOldLsaData]
.text:756CC4A6 cmp edi, ebx
.text:756CC4A8 jnz pOldLsaData_is_not_NULL
.text:756CC4AE
.text:756CC4AE pOldLsaData_is_NULL:
.text:756CC4AE cmp [esi+45h], bl
.text:756CC4B1 jnz short loc_756CC4C9
.text:756CC4B3 lea eax, [ebp+var_8]
.text:756CC4B6 push eax
.text:756CC4B7 push [ebp+arg_hSecret]
.text:756CC4BA call _LsapCrServerGetSessionKey@8
.text:756CC4BF mov esi, eax
.text:756CC4C1 cmp esi, ebx
.text:756CC4C3 jl loc_756DFA34
.text:756CC4C9
.text:756CC4C9 loc_756CC4C9:
.text:756CC4C9 push 3000001h
.text:756CC4CE push 4
.text:756CC4D0 push 4
.text:756CC4D2 push 2
.text:756CC4D4 push [ebp+arg_hSecret]
.text:756CC4D7 call _LsapDbReferenceObject@20
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/