Bugtraq mailing list archives
Re: NT WinLogon VM contains plaintext password visible in admin mode
From: mad.nutter () MINDLESS COM (Chris Paget)
Date: Thu, 9 Dec 1999 10:42:45 GMT
The API call used is ReadProcessMemory - according to MSDN: "Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If this is the case, the function proceeds; otherwise, the function fails." In this situation, the function fails. It may well be possible to get around this (probably producing access violations in the process) some other way; attaching a debugger (such as MSVC) to the winlogon process does not work - it is unable to read the first 64k bytes of memory, but is quite happy to disassemble the code (probably because it uses the same API call). Also, when you stop debugging, you will terminate winlogon, and hence kill NT. As far as allowing the process to be debugged goes, all aministrators are by default granted SeDebugPrivilege, which allows them to debug practically anything - including winlogon, afaik. Alternatively, it may be possible to recover the memory space from either a Windows 2000 hiberfil.sys, or Windows NT's memory.dmp after a bluescreen; possible even the actual pagefile. In fact, if the passwords are stored in plaintext, it should be possible by any number of means. -- Chris Paget C++ Developer - NetInvest LTD. chris.paget () netinvest co uk On Wed, 08 Dec 1999 17:38:18 -0500, you wrote:
When you say the first 10,000 bytes are not accessable, do you mean that is valid memory, probobly where the passwords are stored, but the system has been hard coded to deny access to it using the debug apis? What if you set the global flag to enable debugging of winlogon? Or did you have to do that already?
Current thread:
- Re: NT WinLogon VM contains plaintext password visible in admin mode David LeBlanc (Dec 07)
- <Possible follow-ups>
- FW: NT WinLogon VM contains plaintext password visible in admin mode XB (Dec 07)
- Re: NT WinLogon VM contains plaintext password visible in admin mode Chris Paget (Dec 09)
- Re: NT WinLogon VM contains plaintext password visible in admin mode .rain.forest.puppy. (Dec 14)