Full Disclosure mailing list archives
Re: LSADump2 Crashing Windows
From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Mon, 19 Sep 2005 18:22:13 +0200
More on LSADUMP2 / XP SP2 incompatibility ... The root of the problem lies inside LSASRV.DLL. You already know that the LSASS process has been plagued by many memory leaks over the years : http://support.microsoft.com/search/default.aspx?qu=lsass+leak With XP SP2, Microsoft added many memory management checks, and the LsarQuerySecret() function called by LSADUMP2 has changed. There is an additional check on the pLsaData parameter ; if pLsaData != NULL or pLsaData.Buffer != NULL, LocalFree() is called before reallocating the buffer (see code below). After the LsaFreeMemory() call in LSADUMP2, pLsaData memory is de-allocated but pLsaData is not set to NULL, so calling LsarQuerySecret() a second time will trigger a "double free"-like error. Fix : Add "lsaData = NULL;" After "LsaFreeMemory (lsaData);" Regards, - Nicolas RUFF Security researcher @ EADS-CCR XP SP1 ------ .text:74544733 mov [ebp+var_C], ebx .text:74544736 mov [ebp+var_10], ebx .text:74544739 mov [ebp+var_8], ebx .text:7454473C mov [ebp+var_2], bl .text:7454473F mov byte ptr [ebp+var_1], bl .text:74544742 call _LsapTraceEvent@8 ; LsapTraceEvent(x,x) .text:74544747 cmp [esi+47h], bl .text:7454474A jnz loc_74556A1E .text:74544750 .text:74544750 loc_74544750: .text:74544750 mov al, [esi+45h] .text:74544753 cmp al, bl .text:74544755 jz loc_745412C9 .text:7454475B .text:7454475B loc_7454475B: .text:7454475B cmp al, bl .text:7454475D push edi .text:7454475E mov edi, 3000001h .text:74544763 jz loc_745412B2 .text:74544769 .text:74544769 loc_74544769: .text:74544769 push edi ; AuthnSvc .text:7454476A push 4 ; int .text:7454476C push 4 ; int .text:7454476E push 2 ; AuthnLevel .text:74544770 push [ebp+arg_0] ; int .text:74544773 call _LsapDbReferenceObject@20 XP SP2 ------ .text:756CC465 mov [ebp+var_C], ebx .text:756CC468 mov [ebp+var_10], ebx .text:756CC46B mov [ebp+var_8], ebx .text:756CC46E mov [ebp+var_2], bl .text:756CC471 mov byte ptr [ebp+var_1], bl .text:756CC474 call _LsapTraceEvent@8 ; LsapTraceEvent(x,x) .text:756CC479 cmp [esi+47h], bl .text:756CC47C jnz loc_756E8A6E .text:756CC482 .text:756CC482 loc_756CC482: .text:756CC482 cmp [esi+45h], bl .text:756CC485 jnz short loc_756CC491 .text:756CC487 test byte ptr [esi+58h], 1 .text:756CC48B jnz loc_756E8A81 .text:756CC491 .text:756CC491 loc_756CC491: .text:756CC491 mov eax, [ebp+arg_pLsaData] .text:756CC494 cmp eax, ebx .text:756CC496 jz short pLsaData_or_LsaData_length_is_NULL .text:756CC498 mov eax, [eax] .text:756CC49A cmp eax, ebx .text:756CC49C jnz pLsaData_or_LsaData_length_is_not_NULL .text:756CC4A2 .text:756CC4A2 pLsaData_or_LsaData_length_is_NULL: .text:756CC4A2 push edi .text:756CC4A3 mov edi, [ebp+arg_pOldLsaData] .text:756CC4A6 cmp edi, ebx .text:756CC4A8 jnz pOldLsaData_is_not_NULL .text:756CC4AE .text:756CC4AE pOldLsaData_is_NULL: .text:756CC4AE cmp [esi+45h], bl .text:756CC4B1 jnz short loc_756CC4C9 .text:756CC4B3 lea eax, [ebp+var_8] .text:756CC4B6 push eax .text:756CC4B7 push [ebp+arg_hSecret] .text:756CC4BA call _LsapCrServerGetSessionKey@8 .text:756CC4BF mov esi, eax .text:756CC4C1 cmp esi, ebx .text:756CC4C3 jl loc_756DFA34 .text:756CC4C9 .text:756CC4C9 loc_756CC4C9: .text:756CC4C9 push 3000001h .text:756CC4CE push 4 .text:756CC4D0 push 4 .text:756CC4D2 push 2 .text:756CC4D4 push [ebp+arg_hSecret] .text:756CC4D7 call _LsapDbReferenceObject@20 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- LSADump2 Crashing Windows oh face (Sep 02)
- RE: LSADump2 Crashing Windows John McGuire (Sep 02)
- Re: LSADump2 Crashing Windows Dave Aitel (Sep 02)
- Re: LSADump2 Crashing Windows Nicolas RUFF (Sep 05)
- Re: LSADump2 Crashing Windows Nicolas RUFF (Sep 16)
- Re: LSADump2 Crashing Windows Nicolas RUFF (Sep 19)
- Re: LSADump2 Crashing Windows Dave Aitel (Sep 02)
- RE: LSADump2 Crashing Windows John McGuire (Sep 02)